7
User Guide
2015 Dell Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a
software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the
applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying and recording for any purpose other than the purchasers personal use without the written
permission of Dell Inc.
The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or
otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT
AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO
LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR
INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS
OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of
the contents of this document and reserves the right to make changes to specifications and product descriptions at any time
without notice. Dell does not make any commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Dell Inc.
Attn: LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
Refer to our web site (software.dell.com) for regional and international office information.
Patents
This product is protected by U.S. Patents # 7,979,494; 8,185,598; 8,266,231; and 8,650,578. Additional Patents Pending.
Trademarks
Dell, the Dell logo, GPOADmin, SonicWALL and InTrust are trademarks of Dell Inc. Microsoft, Active Directory, ActiveSync,
Excel, Internet Explorer, Lync, Office 365, OneDrive, Outlook, SharePoint, SQL Server, Windows, Windows PowerShell and
Windows Server are either registered trademarks or trademarks of the Microsoft Corporation in the United States and/or other
countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries. EMC, Celerra, Isilon, VNX,
and VNXe are registered trademarks of EMC Corporation. VMware, ESX, ESXi, and vCenter are registered trademarks or
trademarks of VMware, Inc. in the United States or other countries. Safari and iCloud are registered trademarks of Apple Inc.
Google Drive is a trademark of Google Inc. Amazon Cloud Drive is a trademark of Amazon.com, Inc. or its affiliates. Blackberry
and related trademarks, names and logos are the property of Research In Motion Limited and are registered and/or used in the
U.S. and countries around world. Used under license from Research In Motion Limited. Itanium is a trademark of the Intel
Corporation in the U.S. and/or other countries. Box is a registered trademark of Box. Change Auditor is not affiliated with or
otherwise sponsored by Dropbox, Inc. Other trademarks and trade names may be used in this document to refer to either the
entities claiming the marks and names or their products. Dell disclaims any proprietary interest in the marks and names of
others.
Legend
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
Change Auditor User Guide
Updated - August 2015
Software Version - 6.7
Contents
Dell Change Auditor Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Change Auditor Client Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Start the Change Auditor client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Start Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Manage connection profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Connection wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Client components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Customize table content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Sort data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Resize or move columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Add or remove columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Group data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Filter data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Directory object picker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Agent Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Deployment page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Deploy agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Change the agent installation location and system tray option . . . . . . . . . . . . . . . . . .30
Enable auto deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Refresh or clear Deployment page information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
My Favorite Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Define a favorite search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Overview panes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Event Details pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Searches page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Explorer view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Searches list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Search Properties tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
View a list of available searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Run searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Run a quick search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Search Results and Event Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Search Results page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Dell Change Auditor 6.7
User Guide
1
Dell Change Auditor Overview
Dell Change Auditor provides total auditing and security coverage for your enterprise network. Change Auditor
audits the activities taking place in your infrastructure and, with real-time alerts, delivers detailed information
about vital changes and activities as they occur. Instantly know who made the change including the IP address of
the originating workstation, where and when it occurred along with before and after values. Then automatically
turn that information into intelligent, in-depth forensics for auditors and management -- and reduce the risks
associated with day-to-day modifications.
Audit all critical changes across your enterprise including Active Directory, Exchange, Windows File
Servers, NetApp, EMC, SQL Server, VMware vCenter, SharePoint, and Microsoft Lync.
Track cloud storage and data consumption activity by auditing the use of Dropbox, Dropbox for
Business, Box, and OneDrive.
Collect user logon and logoff activity for regulatory compliance and user activity tracking.
Automate ongoing compliance with tracking and reporting for best practices and regulatory compliance
mandates for SOX, PCI-DSS, HIPAA, FISMA, GLBA and more.
Speed troubleshooting through real-time insight into changes with a comprehensive audit library
including built-in audit alerts, reports and powerful searches.
Proactively protect (lock down) critical Active Directory objects, Exchange Mailboxes and Windows files
and folders from harmful changes that could open security holes or cause resources to become
unavailable.
Modular approach allows separate product deployment and management for key environments including
Active Directory, Exchange, Windows File Servers, NetApp, EMC, SQL Server, Active Directory Query,
SharePoint, Logon Activity, and Lync.
Integrate with other Dell products to track, audit, report and alert on critical changes made using Dell
One Identity Authentication Services, Dell One Identity Defender, and Dell SonicWALL.
Change Auditor for Exchange can also provide additional protection over important mailboxes. The
Exchange Mailbox protection feature prevents unwanted access to Exchange mailboxes, making it much
more difficult for rogue administrators to access critical mailboxes.
10
The Dell Change Auditor for Logon Activity User license enables server agents to audit
authentication activity, domain controller authentication activity (Kerberos), and user logon
session activity (the actual time spent on a server).
The Dell Change Auditor for Logon Activity Workstation license enables workstation agents to
audit authentication activity and user logon session activity (the actual time spent on a
workstation).
Many enterprises are adopting Microsoft Lync as a standard IM and meeting client; therefore,
monitoring and managing changes in Lync has become critical. The Dell Change Auditor for Lync module
audits configuration and security setting changes in on-premise deployments of Microsoft Lync Server
2010 and 2013, providing real-time change notifications for items sourced in Active Directory.
Unix/Linux/Mac-related data for Active Directory users, groups, computers, NIS objects and
Authentication Services personalities
11
NOTE: The Dell Change Auditor User Guide explains the core functionality available in Change Auditor
regardless of the product license that has been applied. In addition, there are separate user guides
available that describe the additional functionality added to Change Auditor when the different auditing
modules are licensed. The supplemental user guides include:
12
2
Change Auditor Client Overview
Client components
Filter data
Communications are successful, meaning the coordinator service is running and has a valid SCP listening
port (no firewall implications). If this condition fails, the Change Auditor client will display an error
dialog stating the appropriate issue.
The current authenticated user running the Change Auditor client has the proper credentials for
accessing the Change Auditor coordinator service. If this condition fails, the client will display the
Coordinator Credentials Required dialog allowing you to enter the proper logon credentials to access the
Change Auditor coordinator.
When using a direct database connection, the current authenticated user running the Change Auditor
client has the proper SQL credentials for accessing the SQL database. If this condition fails, the client
will display the Database Credentials Required dialog allowing you to enter the proper logon credentials
to access the SQL database.
Select Start | All Programs | Dell | Change Auditor | Change Auditor Client.
The Connection screen appears allowing you to connect to the default connection profile or
define/specify a different connection profile.
A connection profile defines the connection method used to connect to a Change Auditor coordinator in
trusted or untrusted forests, or to the database directly without connecting with the Change Auditor
coordinator. See Manage Connection Profiles in the Dell Change Auditor User Guide for more
information on defining connection profiles.
Initially, select the Connect button to use the default connection profile.
After you have defined alternate connection profiles, select the appropriate profile from the drop-down
list and click Connect.
If you do not have the proper credentials required for access, the credentials dialogs will be displayed
allowing you to enter the required credentials.
The first time the client is opened, you will be presented with the Start page which provides up-to-date
product information.
Dell Change Auditor 6.7
User Guide
13
Select the Deployment page to deploy Change Auditor agents. This page may initially be empty until the
current forests server topology has been initially harvested. This page will be automatically refreshed
once this task has completed.
NOTE: Topology scan takes a long time when the environment contains a large number of
workstations.
Once agents are deployed and you launch the Change Auditor client, you will be presented with the
Overview page, which provides a real-time stream of events based on a favorite search definition as
well as other valuable summary information about the application.
Start Page
From the Start page you can view and access relevant information regarding Change Auditor including news and
updates, support and knowledge base content, online documentation (release notes and guide), links to the
latest releases, and essential contact links.
If you do not want to see this page each time that you open the client, then clear the Display this page each
time I log in option. One this option has been cleared, the next time you log in you will be directed
automatically to the Overview page. However, we suggest you keep the Start page active as it will contain the
most up-to-date access to the supporting information you may require.
The Manage Connection Profiles dialog appears. On this dialog, click the Add button to launch the
Connection wizard, which will step you through the process of defining a new profile.
NOTE: Previously defined connection profiles (e.g., the default connection profile and any user
defined connection profiles) are listed at the top of this dialog allowing you to review the details of
each connection profile and edit any user defined profiles.
On the Change Auditor Environment page of the wizard, select the connection method to be used. The
connection methods available include:
Forest - use this method to connect to a coordinator in a trusted forest. Enter the DNS name of
the forest.
Global Catalog - use this method to connect to a coordinator in an untrusted forest. Enter the
name or IP address of the global catalog to be used.
Manual - use this method to connect to a Change Auditor coordinator server located in a different
Active Directory
Database Direct - use this method to bypass the coordinator and connect directly to the Change
Auditor database (i.e., use this method to connect to an archived 6.x database).
NOTE: The access role will be as an operator with read-only privileges when using the
Database Direct connection method; therefore, the Administration Tasks tab is not
available in the Change Auditor client.
Dell Change Auditor 6.7
User Guide
14
Depending on the connection method selected, enter the requested information on the Connect to
Change Auditor Coordinator page:
Forest - select the Service Connection Point (SCP) to be used to connect to the coordinator.
Global Catalog - select the SCP to be used. To override the coordinator service DNS, you can enter
the IP address and port number assigned to the coordinator.
Manual - enter the fully-qualified domain name or IP address (IPv4 or IPv6) of the server where
the coordinator resides and specify the port number assigned to the coordinator.
NOTE: If the coordinator host cannot be resolved by DNS (e.g., if the coordinator service is
running under a service account instead of Local System) you must enter the IP address of
the server where the coordinator resides.
Database Direct - use the Browse button to select the SQL instance and Change Auditor database.
NOTE: If the current authenticated user does not have the proper SQL credentials to access
the selected database, the Database Credentials Required dialog appears allowing you to
enter logon credentials to access the selected SQL database.
On the Connection Profile Summary page, review the connection profile details, name the profile and
click the Test button to test the new connection profile. Click the Finish button to save the connection
profile and close the Connection wizard.
On the Manage Connection Profile dialog, the new connection profile will be added to the list. Click Save
to save the new profile and close the Manage Connection Profile dialog.
To use this new connection profile, select it from the drop-down list on the Connection screen and click
the Connect button.
If you do not have the proper credentials required for access, the appropriate credentials dialogs will be
displayed allowing you to enter the appropriate credentials.
Connection wizard
The Connection wizard is launched when the Add button at the bottom of the Manage Connection Profiles dialog
is clicked. This wizard steps you through the process of defining a new connection profile.
15
Select one of the following connection methods. Depending on the option selected, additional information will
be requested on this or subsequent pages.
NOTE: If logon credentials are required for access, the appropriate credentials dialog will be displayed
allowing you to enter the appropriate credentials.
Forest
Select this option to locate a Change Auditor service in a trusted forest. By default
the local forest will be displayed; however, you can enter the DNS name of a
different trusted forest that has access to a DNS server and can be resolved.
NOTE: You cannot enter an IP address in this field.
Global Catalog
Manual
Select this option to manually specify the fully-qualified domain name or the IP
address of the server where the coordinator resides and the port number assigned
to the coordinator.
Database Direct
Select this option to connect to the Change Auditor database directly, without
going through the coordinator, and enter the requested information.
NOTE: Use the Database Direct method to connect to an archived 6.x Change
Auditor database.
An additional page will be displayed requesting the following information:
Change Auditor Server (\SQL Instance) - Enter or use the Browse button to
select the server (name or IP address) and the SQL instance for the Change
Auditor database.
Change Auditor Database - Enter the name of the Change Auditor database.
NOTE: When using the Database Direct option, the Administration Tasks tab is not
available in the Change Auditor client.
Connect to Change Auditor Coordinator page
This page is displayed after you have selected the connection method to be used. The information required to
be entered on this page is based on the connection method selected on the previous page.
Service Connection Point
When the Forest or Global Catalog options are selected on the previous page, this
list displays the Service Connection Points (SCPs) available for use. Select the SCP
to be used from this list.
16
If you selected the Global Catalog option and want to override the coordinator
service DNS, enter the IP address (IPv4 or IPv6) of the server where the coordinator
resides.
If you selected the Manual option on the previous page, enter the fully-qualified
domain name or IP address (IPv4 or IPv6) of the server where the coordinator
resides.
NOTE: If the coordinator host cannot be resolved by DNS (e.g., if the coordinator
service is running under a service account instead of Local System) you must enter
the IP address of the server where the coordinator resides.
Coordinator Port
If you selected the Global Catalog option and entered the IP address to override
the coordinator server DNS, enter the port number assigned to the coordinator.
If you selected the Manual option on the previous page, enter the port number
assigned to the coordinator.
NOTE: You can obtain the port number assigned to a coordinator using the
coordinator log file or Coordinator Status dialog (coordinator system tray icon).
This portion of the page displays the settings defined on the previous pages of the
wizard. The content will depend upon the connection method selected. The
information displayed may include:
Connection method
Coordinator
Port
SPN
Test
Click this button to test the connection as defined in the connection profile.
Client components
Once a successful connection has been established, the client will be displayed. The Change Auditor client
contains the following main components:
Title Bar - is located across the top of the screen and displays the name of the forest and installation
name to which you are currently connected.
Menu Bar - is located directly below the title bar and displays the menus for accessing Change Auditor
commands. Please refer to the Change Auditor Commands appendix for a description of the menu bar
commands available.
File Menu - use the File Menu commands to connect to or disconnect from a Change Auditor
coordinator, print the currently displayed content, open client logs, or exit the Change Auditor
client.
Edit Menu - use the Edit Menu commands to manage your searches and folders on the Searches
page.
Dell Change Auditor 6.7
User Guide
17
Action Menu - use the Action Menu commands to refresh or reset a page, autofit columns, display
the XML or SQL tabs, enable/disable the auto connect feature or enable/disable the desktop
notification messages.
View Menu - use the View Menu commands to display a different Change Auditor page.
Help Menu - use the Help menu commands to display the online help, retrieve general
information about this release, send feedback about using the product or collect system logs for
troubleshooting purposes.
Tabbed Pages - are displayed below the menu bar and are used to navigate through Change Auditor. The
pages that can be displayed, include:
Use the Start page to view and access relevant information regarding Change Auditor including
news and updates, support and knowledge base content, online documentation (release notes
and guide), links to the latest releases, and essential contact links.
Use the Deployment page to deploy, upgrade or uninstall Change Auditor agents from a single
location.
The Overview page provides a real-time stream of events based on a favorite search definition.
It also contains statistics about the events and the status information for the Change Auditor
agents and the Change Auditor coordinator.
The Searches page contains a list of all the searches available. From this page you can run a
search, create a customized search, enable/disable alerting and reporting for a search query.
A new Search Results page is created whenever a search is run. These pages contain a list of the
events returned as a result of the selected search. From this page, you can also view the details
of an event or the search properties used to return the displayed events.
The Alert History page is displayed when the Alert | History right-click command is selected for
an alert-enabled search definition on the Searches page and includes details regarding the events
that triggered the selected alert.
A new Report page is created whenever the Preview Report tool bar button is used on the Report
tab (Search Properties tabs) for a search query. The Report page displays a rendering of the
events returned as a result of the selected search.
A new Log page is created whenever one of the View Logs commands are selected and displays
the event details recorded in the selected log.
The Agent Statistics page displays status and statistics for all installed agents.
The Coordinator Statistics page displays status for all installed coordinators.
The Administration Tasks tab allows you to perform a variety of administration tasks. Use the
navigation pane in the left-hand pane to select the administrative task to be performed. Refer to
Administration Tasks for an overview of the tasks that can be performed using the Administration
Tasks tab and the product license required to perform these tasks.
Sort data
Group data
18
Sort data
An arrow in the column heading identifies the sort criteria and order, ascending or descending, being used to
display information.
The sort order will be in ascending order, but can be changed to descending order by clicking on the
heading a second time.
To specify a secondary sort order, SHIFT + click in the heading of the column to be used for the secondary
sort order.
To resize a column:
1
Place your cursor on the boundary between column headings (your cursor will change to a doublearrow).
Click and hold the left mouse button dragging the column boundary to the desired size.
Use the left mouse button to click the heading to be moved (the column heading will pop off the table).
Drag that column heading to the desired location in the table (arrows will indicate where you are placing
the selected column).
19
Click the
The Field Chooser dialog appears which lists all of the data (columns) available for display.
From this dialog, select the columns to be displayed and clear the columns you do not want displayed.
NOTE: For each individual search, you can select the data to be retrieved and displayed in the
client using the Layout search properties tab. From this tab you can also define column order, sort
criteria and order, groupings and the format to be used for displaying the retrieved data.
Group data
In addition, you can group data to create a collapsed view that can be expanded to view the detailed
information that applies to that group.
To group data:
1
Select a column heading (the column heading will pop off the table) and drag that column heading to the
space above the table. For example, use the left mouse button to click the Subsystem heading and drag
that column heading to the space above the table.
Optionally, repeat this step to select additional headings to create a hierarchy of groupings.
This will collapse the table and display the groupings that can be expanded to view the detailed
information that applies to that group, as shown below.
20
To expand a group and display the individual events listed, click on the + sign to the left of the label.
When a grouping is in place, you can use the Pie Chart or Bar Graph icons, located at the top of the grid,
to redisplay the data.
NOTE: The pie chart and bar graph displays are only available when a single level grouping has
been applied to the data grid.
In either of these views, use the Data Grid icon to redisplay the data in the grid format.
To remove a grouping, select the heading and drag it back down into the table area or right-click a group
heading (in area above the grid) and select one of the remove commands.
Filter data
Traditional search capabilities provide the first phase of drilling down on details you may be seeking, but
locating individual events typically requires more granular search capabilities and additional steps. Change
Auditor provides advanced filtering options that allow you to modify the results of a search without changing
the original search. With this capability, filtering can be performed on one or more columns of a result,
ultimately reducing the need to build the same search multiple times with minor customizations.
To filter data:
Throughout the client, you will see a row of data filtering cells under the headings row in each of the data grids.
These cells provide data filtering options which allow you to filter and sort the data displayed.
Place your cursor in one of these cells, and click the Click here to filter data...
In the selected cell, enter the word or string of characters to be used to filter the data displayed.
Filtering will take place as you type your entry.
By default, Change Auditor will use either the starts with or contains expression to filter the data.
However, if you click the search criteria button (
expression.
To remove the filtering and return to the original data grid, click the Remove Filter button (
far left of the cells.
) to the
To remove the filtering of an individual cell, click the Remove Filter button to the right of that cell.
To create a custom filter, place your cursor in the cell beneath the column to be filtered. Click the arrow
control and select (Custom).
The Custom Filter dialog appears.
21
Select the appropriate option in the Filter based on <All | Any> of the following conditions.
Select All if all the criteria entered has to be met in order to be included.
Select Any if only one of the criteria entered has to be met in order to be included.
In the field to the right of the column heading, click the arrow control to select the comparison
operation to be used (e.g., Like, Equals, Contains, etc.).
In the field to the right of the comparison operator, enter the pattern (character string or value) to be
used to search for a match.
Use the * wildcard character to match any string of zero or more characters. For example, entering LIKE
*change* in the Event column, will find events that contain the string change, e.g., changed, Change
Auditor, etc.
To add additional criteria, click the Add button. Clicking this button adds a new row to the custom filter
allowing you to specify additional criteria for the selected column.
Once you have created the custom filter, click the OK button to close the dialog and filter the data based
on the criteria entered.
The following procedures walk you through a few scenarios using the custom filtering feature.
On the Search Results page, place your cursor in the data filtering cell of the Event column, click the
arrow control and select (Custom).
Select All.
Contains | group
Contains | added
Click OK.
On the Search Results page, place your cursor in the data filtering cell of the Action column, click the
arrow control and select (Custom).
Select All.
Contains | delete
Contains | object
Click OK.
On the Search Results page, place your cursor in the data filtering cell of the Facility column and enter:
forest.
22
Browse - use the Browse page to select a directory object from a hierarchical view of your environment
Search - use the Search page to search your environment to locate and select a directory object
NOTE: Disabled objects on these two pages are represented by a red X icon.
Options - use the Options page to view or modify search options used to retrieve directory objects
In the Find field, either enter or use the drop-down menu to select the type of directory objects to be
displayed.
You can enter multiple classes, separated by either a comma or semi-colon. Note that when you type in
an entry, you must use the Enter key or the Apply Filter button to display the objects.
NOTE: Most of the time, this field will be automatically filled in with the appropriate entry. Thus,
when this field is grayed out, this is a read-only field which cannot be changed.
In the explorer view (left pane), single-click on the expansion state box to the left of a container or
double-click a container to expand the view to display subordinate objects.
Select a container in this pane to populate the object list (right pane) with the objects that belong to
the selected container.
NOTE: Right-clicking the root domain in the explorer view will display a drop-down menu listing
any peer domains. To view a different domains objects, select the desired domain from those
listed.
Use the F5 button to force a refresh of the contents of this pane.
In the object list, click on the object to highlight it and use the Add button to add it to the Selected
Objects list at the bottom of the dialog.
NOTE: The Selected Objects list is used for both the Browse and Search pages and will contain the
objects selected from either of these pages.
Once you have added objects to this list, use the Select button to save your selection and close the
dialog. Or if the directory object picker is part of a wizard, click Next to save your selection and
continue.
23
Open the Search page and use the controls at the top of the page to search your environment to locate
the desired object(s).
In the Find field, either enter or use the drop-down menu to select the type of directory object to be
located.
You can enter multiple classes, separated by either a comma or semi-colon. Note that when you type in
an entry, either click the Enter key or use the Search button to display the objects.
NOTE: Most of the time, this field will be automatically filled in with the appropriate entry. Thus,
when this field is grayed out, this is a read-only field which cannot be changed.
In the Name field, specify a search expression to be used to search Active Directory to locate a
particular object. In most cases, this field will contain an asterisk (*) indicating to search for all objects
of the type specified in the Find field.
Select the ANR check box to use Ambiguous Name Resolution (ANR) as the search algorithm, which
allows you to enter limited input (partial data) to find multiple objects in your network.
When the ANR check box is checked, use one of the following methods to enter your search expression:
Enter a partial string to return exact matches or a list of possible matches. For example, entering
Admin will return objects that contain the names Admin, Admins, Administrator,
Administrators, etc.
Enter a string preceded by the equal sign (=Admins) to return only exact matches. For example,
entering =Admin will return only those objects containing the name Admin.
By default, ANR will search the following attribute fields in Active Directory:
LegacyExchangeDN
msExchMailNickname
Office (physicalDeliveryOfficeName)
24
When the ANR check box is not checked, the search expression entered will be used to search only the
Display Name of directory objects to locate a particular object.
To use this search mechanism, enter a string of characters and the wildcard (*) character as described
below.
*n* will return objects that contain the letter n within their Display Name.
After entering a search expression, use the Search button to initiate the search and return the results of
the search.
The object list displays the objects found as a result of your search. To select an object, click on the
object to highlight it and use the Add button to add it to the Selected Objects list.
NOTE: The Selected Objects list is used for both the Browse and Search pages and will contain the
objects selected from either of these pages.
Once you have added objects to this list, use the Select button to save your selection and close the
dialog. Or if the directory object picker is part of a wizard, click Next to save your selection and
continue.
The Search Limit field specifies the maximum number of records to be returned for any given search.
The default is 2000 records.
To change this limit, enter a value between 100 and 9999.
Or to allow an unlimited number of records to be returned, select the No Search Limit check box.
The Page Size field displays the maximum number of records to be returned per LDAP polling cycle.
TIP: Care should be taken when modifying this value, because it could impact the performance of
your searches.
Once you have made changes on the Options page, use the Select button to save your selection and close
the dialog. If the directory object picker is part of a wizard, click Next to save your selection and
continue.
25
3
Agent Deployment
Introduction
Deployment page
Deploy agents
Introduction
The Deployment page in the Change Auditor client displays all the servers and workstations discovered in your
Active Directory environment. From this page you will specify the servers and workstations (if the Change
Auditor for Logon Activity Workstation license is applied) to host a Change Auditor agent.
NOTE: The first time the Change Auditor client is launched, you will be presented with the Deployment
page to deploy Change Auditor agents. Once agents are deployed, the Overview page will be displayed
whenever the Change Auditor client is launched.
Deployment page
The Deployment page in the Change Auditor client allows you to install and configure the Change Auditor agents
from a single location. This page contains a list of the servers and workstations that are joined to the domain to
which an agent can be deployed.
NOTE: The Deployment page will not display non-member objects, such as ADAM workgroup servers or
non-Active Directory workstations, because agents cannot be deployed to non-member objects using the
Deployment tab. See the Dell Change Auditor Installation Guide for more information on manually
installing agents to workgroup servers or non-Active Directory workstations.
26
The Deployment page may contain the following information for each server/workstation discovered in your
Active Directory forest. The default column of the following table indicates those fields that are displayed by
default. To display different fields, click the Field Chooser button
headings and select the columns to be displayed.
Default
Description
Agent Status
Yes
Active
Inactive
Pending
Copying Files
Executing Installer
Uninstalled
Coordinator
No
Creds
Yes
Indicates whether user credentials have been entered for the selected
domain. To enter the credentials to be used to install agents on a
domain, use the Credentials tool bar button or right-click command.
Deployment Result
Yes
NOTE: You can use the Clear Results right-click command to clear the
entry in this column for the selected server.
DN
No
DNS Name
No
Domain
Yes
Exchange Server
No
Forest
No
GC
No
Installation
No
IP Address
No
Name
Yes
Operating System
No
Site
No
27
Default
Description
Type
No
Yes
When
No
Displays the date and time for a scheduled deployment task. That is,
the date and time entered on the Install or Update dialog (or Uninstall
dialog) when the When option is selected.
NOTE: Based on the clients current local date and time. The format
used to display this date and time is determined by the local machines
regional and language setting.
Workstation
No
In addition to selecting the fields to be displayed in the grid, you can use the drop-down controls above the grid
to define what type of machines are to be displayed on the Deployment page.
28
The following table describes how to use these controls to filter the content displayed on the Deployment page.
Table 3. Deployment page: Filter controls
Control
Description
Type
Use the left-most control to specify the type of Active Directory objects to be
included in the display:
DCs - select to display the domain controllers in the forest, domain or site
NOTE: Non-member objects are not included in the Deployment tab because you
cannot use this tab to deploy agents to workgroup servers or non-Active Directory
workstations. See the Dell Change Auditor Installation Guide for more
information on deploying agents to workgroup servers or non-Active Directory
workstations.
Active Directory view
By default, the Deployment page provides a forest view of the servers found.
However, you can use the right-most controls to limit your view to an individual
domain or site.
Use the middle control to select the Active Directory view (forest, domain or site)
then use the right-most control to select an individual forest, domain or site for
which servers/workstations are to be displayed.
Deploy agents
To deploy Change Auditor agents:
1
Verify that the user account you will be using to deploy agents is at least a Domain Admin in every
domain that contains servers/workstations where agents are to be deployed.
Verify that the user account is also a member of the ChangeAuditor Administrators group in the specified
Change Auditor installation.
Open the Change Auditor client. The Deployment page will automatically be displayed if agents have not
yet been deployed. Otherwise, use View | Deployment to open the Deployment page.
The Deployment page will be populated with the servers (domain controllers and member servers) and
workstations discovered in your Active Directory environment.
NOTE: The Deployment page may initially be empty until the current forests server topology has
been initially harvested. This page will be automatically refreshed once this task has completed.
From this list, select an entry and use the Credentials | Set tool bar button or right-click command to
enter the proper user credentials for installing agents on the selected domain.
On the Domain Credentials dialog, select the domain from the list and click the Set button. On the Logon
Credentials dialog enter the credentials of a user with administrator rights on the selected domain.
After entering the proper credentials, select the entry back on the Deployment page and select
Credentials | Test from the tool bar or right-click menu. If you get a Valid Creds status in the
Deployment Result column, you can start deploying agents to that domain.
If you get a Logon Failure status in the Deployment Result column, use the Credentials | Set command
to re-enter the proper credentials for installing agents.
By default, the Change Auditor agent folders (Agent, Systray) will be installed to
%ProgramFiles%\Dell\ChangeAuditor\. You can, however, change the location of the installation folder by
clicking the Advanced Options tool bar button.
Dell Change Auditor 6.7
User Guide
29
Select one or more servers/workstations on the Deployment page and click the Install or Upgrade tool
bar button or right-click command.
On the Install or Upgrade dialog select one of the following options to schedule the deployment task:
Now (default)
When
If you select the When option, enter the date and time when you want the deployment task to be
initiated. Click OK to initiate or schedule the deployment task.
Back on the Deployment page, the Agent Status column will display Pending and the When column will
display the date and time specified.
NOTE: To cancel a pending deployment task, select the server/workstation and then click the
Install or Upgrade button or right-click command. On the Install or Upgrade dialog, click the Clear
Pending button.
9
As agents are successfully connected to the Change Auditor coordinator, the corresponding Deployment
Result cell will display Success, the Agent Status cell will display Active and a desktop notification
will be displayed in the lower right-hand corner of your screen.
NOTE: To deactivate these desktop notifications, select the Action | Agent Notifications menu
command.
On the Deployment page, select one or more agents from the server/workstation list. Click the
Advanced Options tool bar button to display the Advanced Deployment Options dialog.
To change the installation folder, check the Specify Agent Installation Location check box and enter the
location to be used for the agent installation folder.
NOTE: The location entered is used for all agented servers/workstations selected on the
Deployment page.
Select the appropriate option to specify the action to be taken if the path entered above cannot be
created on a server/workstation:
By default, the system share (ADMIN$) is used; however, you can use a different share by selecting the
Specify a Custom Share on the Remote Server option and entering the share to be used.
Use the Launch ServiceStatusTray on startup options to indicate whether you would like to
launch/install the Change Auditor agent system tray icon when the agent is started.
30
Use the Restart Agent on failure options to indicate whether to restart an agent if it fails to start.
Optionally, use the Save as Default button to save the current advanced deployment settings as the
default for future agent deployments.
You can use the Restore to Default button to restore all of the advanced deployment settings to the
factory default or last saved defaults.
Click the OK button to save your selections and close the dialog. These deployment settings apply to all
of the agents selected on the Deployment page.
31
From the Deployment page, click the Auto Deploy tool bar button.
Select the Enable Auto Deployment to New Servers and/or Enable Auto Deployment to New
Workstations check box(es).
Select one of the following options to specify the servers to which agents are to be deployed:
Clicking the Add button displays the Select Active Directory Objects dialog. Use the Browse or Search
page to locate and select a container. Once a container is selected, click the Add button to add it to the
Selection list at the bottom of the dialog. Once you have added all the containers, click the Select
button to save your selection and close the dialog.
The containers specified will be displayed in the Containers list on the Auto Deploy to New Computers
dialog.
By default, Change Auditor will check if new servers have been added to the forest every 60 minutes and
if found will automatically deploy a Change Auditor agent. However, you can use one of the following
Check for New Computers Added to Forest options to change this interval:
Every nn Minutes
Click the Set button to specify the credentials of a user with administrator rights on the selected
domain(s). Click OK to save these user credentials and close the Logon Credentials dialog.
Click OK to save your selections and close the Auto Deploy to New Computers dialog.
On the Deployment page, click the Force Refresh tool bar button.
Change Auditor will force a topology harvest and display any new servers/workstations added since the
last topology harvest.
NOTE: The default harvest interval is every 24 hours.
NOTE: Topology scan takes a long time when the environment contains a large number of
workstations.
On the Deployment page, select one or more servers from the list.
Dell Change Auditor 6.7
User Guide
32
Change Auditor will retrieve and display the latest status for the selected agents, including the agent
version and deployment results.
On the Deployment page, right-click a server/workstation from the list and click Clear Result.
This will clear the current and any future entries in the Deployment Result cell for the selected
server/workstation.
33
4
Overview Page
Overview
My Favorite Search
Overview panes
Overview
Once agents are deployed, the Overview page is initially displayed when the Change Auditor client successfully
connects to a coordinator. The goal of the Overview page is to provide you with instant access to valuable
information about the application. Therefore, this page provides customized views to highlight application
details based on your preference. For example, you can display Agent Status, Top Agent Activity, Recent Event
Activity, Coordinator Status, Event Counts, or Alert History Counts on the various panes on the Overview page.
Additionally, you can view a real-time stream of events based on a favorite search definition. By default, the
top pane will use the Change Auditor Real-Time search definition and display all events (up to 10,000 records)
generated in the last 20 minutes. You can, however, define a different favorite search and the events captured
from that search will then be displayed across the top of the Overview page.
The information on this page is captured when the Change Auditor client is started. To refresh all of the
information displayed on the Overview page, use the Refresh button, F5 or the Action | Refresh menu
command. Also, when you select a different pane for display, the latest information for the 'new' pane will be
displayed.
My Favorite Search
The top pane displays a real-time view of events generated based on a user-defined favorite search. By
default, Change Auditor will use the Change Auditor Real-Time search definition and this pane will display all
events captured for the last 20 minutes.
As events are returned, they will be added to this search results grid, providing you with a real-time view of
whats happening in your environment. By default, the events are sorted by date, with the latest event being
added to the top of the list. You can, however, use the column controls to select a different sort criteria for the
information displayed. For more information on customizing the content of this table, see Customize table
content.
Double-clicking an event in this grid will display the Event Details pane across the bottom of the page, which
contains additional details regarding the event selected in the search results grid. The layout and content for
the My Favorite Search grid is the same as that used on the Search Results page. For a description of the search
results grid and the Event Details pane, please refer to Search Results grid and Event Details pane.
34
Open the Overview page, click F5 (or the Refresh button) to display the results of that search in the My
Favorite Search pane at the top of the Overview page.
From the Overview page, click on the My Favorite Search: <search name> title at the top of the My
Favorite Search grid.
The Searches page and corresponding search properties tab are displayed.
Use the search properties tabs to modify the search criteria. Click Save from one of the search
properties tabs to save your changes.
Open the Overview pane, click F5 (or the Refresh button) to display the results of the modified search in
the My Favorite Search pane.
Overview panes
The Overview panes across the bottom of the Overview page can be customized based on your preference to
display a variety of overview information about Change Auditor. By default, the Top Agent Activity and Agent
Status panes are displayed across the bottom of the Overview page. However, each of these panes has an arrow
button on its heading that can be used to display the different overview information that is available.
Change Auditor provides the following overview views which highlight application details based on your
preference:
Count of Events By
Agent Status
Coordinator Status
Within the overview panes, blue underlined numbers are hypertext links. Selecting a link displays the search
results for the selected count.
35
Type
By default all agented objects will be included. However, you can use the drop-down menu located in
the upper left corner of this overview pane to limit the types of objects to be included:
Servers - select to view only agented servers that are joined to the domain
Workstations - select to view only agented workstations that are joined to the domain
Others - select to view only non-member objects, such as ADAM workgroup servers or workstation
agents manually installed on non-Active Directory
machines
Time interval
By default, data will be collected for the last month. However, you can use the controls in the upper
right corner of this overview pane to specify a different time interval for collecting this data.
Where: <nn> is a positive numeric value and <interval> is one of the following:
Hours
Days
Weeks
Months (default)
Years
Use the controls at the top of this pane to define the content to be included in this Overview pane.
Select Events
Click the Select Events button to select different event classes to be displayed. Clicking this button
displays the Select an Event Class dialog. Select the event classes to be displayed and use the Add button
to add them to the selection list at the bottom of the dialog.
NOTE: A maximum of 10 event classes can be selected. When you have reached this limit, the Add
button is disabled preventing you from adding any additional event classes.
36
Use these buttons/controls to define the format to be used to display the information. By default, the
data appears in a data grid format.
Use this button to display the data in a bar graph. Select the Show Legend check box to
include a legend for the bar graph.
NOTE: The bar graph button and Show Legend check box only appear when there is activity
to report in this pane.
Use this button to redisplay the data using the data grid format.
Count of Events By
The event counts pane displays a table listing the total number of events captured by Change Auditor, sorted by
the selected category. Click the arrow on the heading of one of the Overview panes, select Count of Events By
and then select one of the following categories to display this pane:
Event Class
Facility
Location
Severity
Result
Subsystem
The count by event panes include the total number of events found in the Change Auditor database based on
the category selected. The counts on these panes are hypertext links, which when selected display a Search
Results page showing the events associated with the selected count. However, the Search Results page only
displays the associated events generated in the last year. If you want to see all of the events associated with the
selected count, edit the date range to include the last nn years in the When tab on the Search Results page.
Agent Status
The Agent Status pane of the Overview page displays a gauge depicting the current status of Change Auditor
agents. Click the arrow on the heading of one of the Overview panes and select Agent Status and then select
one of the following options to display this pane:
Enterprise View - displays all agented member servers installed in the enterprise
Workstation View - displays all agented workstations that are installed on Active Directory machines in
the enterprise
Other View - displays all agented non-member objects, such as ADAM workgroup servers or workstation
agents manually installed on non-Active Directory machines in the enterprise
<DomainName> - displays all agented machines, including servers, workstations and non-member
workgroup computers, installed on the selected domain
37
Double-clicking the gauge displays the Agent Statistics page which provides a global view of all Change Auditor
agents, including their current status.
Coordinator Status
The Coordinator Status pane displays a gauge depicting the current status of all the Change Auditor coordinators
installed in the entire enterprise or in a selected domain. Click the arrow on the heading of one of the lower
panes and select Coordinator Status and then select one of the following options to display this pane:
Counts - displays the number of alerts that were successfully sent and the number of alerts that failed to
send
38
5
Searches
Introduction
Searches page
Run searches
Introduction
Once Change Auditor captures an event, it provides several flexible ways to generate meaningful reports. All
event information is displayed in Change Auditors client and its built-in reports provide views for the most
common and complex requests. You can view configuration changes from a variety of perspectives. For
example, you can view all changes at a particular site. You can view changes made during a specific time frame.
Or, you can see the changes performed by a particular administrator. You can even run detailed searches based
on user-defined criteria to fit the needs of your organization.
This section provides a description of the Searches page and steps on how to run a built-in search. For
information on how to create and run a custom search refer to the Custom Searches and Search Properties
chapter.
39
Searches page
The Searches page displays all of your search definitions, both private and shared, and the built-in reports
provided with Change Auditor. This page consists of the following panes:
Explorer view
Searches list
Explorer view
The left pane of the Searches page displays a hierarchical view of the folders used to manage your search
definitions and the built-in reports provided with Change Auditor. This view initially displays the following
folders:
Quick Search
Allows you to define a search that is to be executed as soon as the definition is finished.
Unlike other custom searches, this search definition will not be saved unless you click Save As on one of
the Search Properties tabs.
Private
Is used to store your personal custom searches (i.e., only you can see these searches).
NOTE: A foreign security principal in foreign forests is required for some private searches to function
properly.
To store foreign user created searches in Change Auditor:
1. Create a trust between the foreign domain and the domain where Change Auditor is installed.
2. Add the foreign user to any group in the Change Auditor domain. This will cause Windows to create a
foreign security principal object in the Change Auditor domain.
Dell Change Auditor 6.7
User Guide
40
Shared
Contains the predefined search definitions provided with Change Auditor and can also be used to store
public custom searches (i.e., all Change Auditor users can see these searches).
Built-In
Contains all of the predefined reports provided with Change Auditor.
Searches list
The right pane of the Searches page displays a list of the search definitions or built-in reports contained in the
folder selected in the explorer view.
The following information is displayed for each search definition:
Table 4. Searches list: Field descriptions
Field
Description
Type
Displays the type of entry: Private Search, Shared Search, Private Alert, Shared Alert
or Report.
Alert
Indicates whether an alert has been enabled for the search query. Valid entries for
this field are:
Report
Enabled - which means that alerting is enabled for the search query and that
at least one transport method is enabled.
Disabled - which means that the alert is disabled for the search query;
however at least one transport method is still enabled.
Indicates whether reporting had been enabled for the search query. Valid entries for
this field are:
Enabled - which means reporting is enabled for the search query and a
report will be sent to the specified recipient(s) as defined on the Report tab.
Disabled - which means previously enabled reporting has now been disabled
for the search query.
Name
Alert To
Displays the email address of any recipient(s) specified to receive an alert email
notification (SMTP).
In addition to an email address or distribution list address, you will see the following
parameterized values when the corresponding option has been selected on the Alert
Custom Email dialog:
%WHO% - indicates that an alert is to be sent to the user who initiated the
change that triggered the alert.
%MANAGEDBY% - For events associated with groups that are being managed
by another account, indicates that an alert is to be sent to the managing
users email.
Alert Cc
Displays the email address of any carbon copy recipient(s) specified to receive an
alert email notification.
Alert Bcc
Displays the email address of any blind carbon copy recipient(s) specified to
receive an alert email notification.
Report To
41
Description
Report Cc
Displays the email address of any carbon copy recipient(s) specified to receive a
report email.
Report Bcc
Displays the email address of any blind carbon copy recipient(s) specified to
receive a report email.
Double-clicking a search definition will run the selected search and display the results in a new Search Results
page.
Info: Allows you to enter a name and description for the search
Who: Allows you to search for events generated by a specific user, computer, or group.
What: Allows you to search for events based on subsystem, event class, object class, severity, or results.
Where: Allows you to search for events captured by a specific agent, domain or site.
When: Allows you to search for events that occurred within a specific date/time range.
Origin: Allows you to search for events that originated from a specific workstation or server.
Alert: Allows you to enable alerts and define how and where to dispatch alerts.
Report: Allows you to enable reporting, specify the report layout template to be used or choose to
design your own report layout, and define when and where to send the report.
Layout: Allows you to define the data (columns) to be retrieved from the database and the sort order for
displaying the retrieved data. The layout defined on this tab applies to both the search results displayed
in the client and in the report, if reporting is enabled on the Report tab.
SQL: Displays the SQL script used to create the selected search definition.
NOTE: This tab is hidden by default. Use the Action | Show SQL Tab to display this tab.
For a detailed description of the Info, Who, What, Where, Origin and Layout tabs and how to use them to create
a custom search, refer to the Custom Searches and Search Properties chapter. For more information about the
Alert tab, see the Enable Alert Notifications chapter. For more information about the Report tab, see the
Generate and Schedule Reports chapter.
Dell Change Auditor 6.7
User Guide
42
In the explorer view (left pane), double-click the Shared folder (or click the + sign to the left of the
Shared folder) to expand the folder and display a hierarchy of folders.
Double-clicking a search in the right-hand pane runs the search and opens a new Search Results page.
Right-clicking a search displays a context menu containing actions that can be taken against the selected
search.
Select the Private folder (or a subordinate folder created under the Private folder) in the explorer view.
The right pane displays a list of the search definitions that are stored in the selected folder.
To view the list of built-in reports (those provided with Change Auditor):
1
Select a folder under the Built-in folder to view the list of search definitions that are stored in the
selected folder.
The right pane displays a list of the search definitions that are stored in the selected folder.
Run searches
To run a previously saved search or built-in report:
1
Expand and select the appropriate folder in the explorer view to display the list of search definitions
stored in the selected folder.
Select the search definition and click the Run tool bar button at the top of the Searches page.
A new Search Results page will be displayed populated with the events that met the search criteria
defined in the selected search definition.
43
Select the Quick Search node in the explorer view to display the Quick Search entry in the Searches list
(right pane).
You can either run the default quick search which will retrieve all events that were generated since the
beginning of the week or define the search criteria to be used.
To run the default search, double-click the Quick Search entry in the Searches list or click the
Run right-click command or tool bar button.
To define the search criteria, select the Quick Search definition to enable the Search Properties
tabs. On the Search Properties tabs, enter the search criteria to be used. Once finished entering
the search criteria, click the Run tool bar button from one of the Search Properties tabs.
A new search results tab, titled Quick Search, will be displayed populated with the events that met the
search criteria defined.
44
6
Search Results and Event Details
Introduction
Add comments
Introduction
Audit events are the configuration change information that is captured by the Change Auditor agents and
reported to a coordinator and then written to the database. These events can be retrieved and viewed through
searches made though the Change Auditor client. When you run a search, Change Auditor searches the events in
the database for the desired results. The results are then displayed in the Search Results page in the Change
Auditor client.
The terms searches and reports are used in conjunction to acquire the desired output. You run a 'search' and
the results returned is a report.
Auditing and centralizing the collection of events is only one part of the total control and output required for
enterprise security and compliance. It is equally important to be able to retrieve the real-time data and sort
through it quickly and efficiently when its needed.
This section provides a description of the Search Results page and the Event Details pane. It also provides
instructions for performing related tasks when viewing the search results. For a description of the other dialogs
mentioned in this chapter, refer to the online help.
45
Run on
Displays the date and time when the search was run.
NOTE: Based on the clients current local date and time. The format used to display this date and
time is determined by the local machines regional and language setting.
Run Time
Displays the amount of time it took to run the search.
Records
Displays the total number of records returned.
Refresh
Use the Refresh button to redisplay the latest information.
46
Cancel
When a large number of records are being captured for display, the Refresh button will become a Cancel
button allowing you to cancel the search.
By default, the grid contains the following information about the events returned when a search is run. (You can
specify the columns, sort order and grouping for a search, as well as the display format by using the Layout
search properties tab.)
Table 5. Search Results grid: Event information displayed by default
Column
Description
Action
Domain
Displays the name of the domain to which the agented server belongs.
Event
Facility
Defines the event class facility to which the change event belongs.
Result
Indicates whether the operation mentioned in the event was successfully completed. Valid
states are:
Protected - Indicates that the operation was prevented from occurring because the
object is protected by the Change Auditor object locking feature.
Failed - indicates that the operation was prevented from occurring due to a
factor/setting outside of Change Auditors control.
None - indicates that the operation occurred as stated, but no results were captured
for the event. For example, this state is used for most of the internal Change Auditor
events.
Server
Severity
Site
High
Medium
Low
Displays the name of the site where the agented server resides.
Subsystem
Defines the subsystem, or area of auditing, where the change event occurred.
Time Detected
Displays the date and time when the agent captured the event.
NOTE: Based on the clients current local date and time. The format used to display this
date and time is determined by the local machines regional and language setting.
User
47
This provides the following details about the event selected in the search results grid:
NOTE: All dates and times are based on the clients current local date and time. The format used to
display the date and time is determined by the local machines regional and language setting.
Description
Severity
The severity level assigned to the search is displayed in the upper left-hand corner.
Who
This field specifies the name of the user who initiated the change. If available, the display
name of the user account is also displayed in parenthesis.
When
This field specifies the date and time when the change occurred.
Where
This field displays the name of the server where the change occurred.
Source
Change Auditor
ActiveRoles Server
GPOADmin
NOTE: When the event is generated from Dell One Identity ActiveRoles Server or Dell
GPOADmin, the name of the user account that initiated the event is displayed in
parenthesis.
NOTE: If the Source field displays ActiveRoles (instead of ActiveRoles Server) you are not
using the latest integration scripts. If you want to take advantage of the additional events
and initiator account information captured using the new integration scripts, ensure you are
running One Identity ActiveRoles Server 6.9 (or higher) with Change Auditor for Active
Directory 6.5 (or higher).
Origin
This field displays the NetBIOS name and IP address of the workstation or server from which
the event was generated.
What
Displays a brief description of the change that occurred. There are three basic types of
events generated that determine the what information that will be displayed:
Change events
Depending on the type of event, additional details may be displayed at the bottom of this
pane.
48
Description
Result
Indicates whether the operation mentioned in the event was successfully completed. Valid
states are:
Success (Green) - Indicates that the operation occurred as stated in the event.
Protected (Yellow) - Indicates that the operation was prevented from occurring
because the object is being protected by the Change Auditor object locking feature
Failed (Red) - Indicates that the operation was prevented from occurring due to a
factor/setting outside of Change Auditors control.
None (Green) - Indicates that the operation occurred as stated, but no results were
captured for the event. For example, this state is used for most of the internal
Change Auditor events.
Subsystem
The first field defines the subsystem, or area of monitoring, where the change event
occurred (e.g., Active Directory, Service, Group Policy, etc.).
Action
This field defines the action associated with the selected event.
Facility
This field defines the event class facility to which the change event belongs.
Class
For Active Directory and Exchange events, this field displays the object class that was
modified, such as user, group, computer, nTDSConnection, CrossRefContainer.
Attribute
If an attribute has been added, deleted or modified, this field displays the name of the
attribute.
Type
For Active Directory events associated with groups, this field displays the type of group that
was modified (e.g., Global (Security), Domain Local (Security)).
For AD Query events, this field displays the type of query:
LDAP
GC
Object
For Active Directory and Exchange events, this field displays the name of the object that was
modified.
SSL/TLS
For Active Directory and AD Query events, this field indicates whether the LDAP operation or
LDAP query is secured using SSL or TLS technology.
NOTE: If you upgraded from a previous version of Change Auditor, the event details for pre5.5 Active Directory and AD Query events will not include this field.
NOTE: If changes are initiated within LSASS and not through the LDAP protocol itself, this
field will not be captured.
Sign/Seal
For Active Directory and AD Query events, this field indicates whether the LDAP operation or
AD query is signed using Kerberos-based encryption.
NOTE: If you upgraded from a previous version of Change Auditor, the event details for pre5.5 Active Directory and AD Query events will not include this field.
NOTE: If changes are initiated within LSASS and not through the LDAP protocol itself, this
field will not be captured.
Scope
Results
For AD Query events, this field displays the number of results returned as a result of the
query.
Occurrences
For AD Query events, this field displays the number of times the AD query occurred during
the specified interval.
Since
For AD Query events, this field displays the date and time when the AD query was first
initiated.
Elapsed
For AD Query events, this field displays how long the AD query took to run. Zero (0) indicates
that it took less than a millisecond to complete.
49
Description
Filter
For AD Query events, this text box displays the filter string used in the AD query.
Attributes
For AD Query events, this text box displays the attributes that were queried.
Path
For File System events (including EMC and NetApp ), this field displays the full path of the
file or folder where the modification occurred.
Process
For File System events, this field is populated with the full path of the application
responsible for the file change.
Service
For Service events, this field displays the name of the service(s) that were modified.
Key
For Registry events, this field displays the name of the registry key that was modified.
Value
For Registry events, this field displays the registry value that was modified.
Policy
For Group Policy events, this field displays the name of the group policy that was modified.
Section
For Group Policy events, this field displays what section of the group policy was modified.
Item
For Group Policy events, this field displays the group policy item that was modified.
Account
For Local Account events, this field displays the local account that was modified.
From
This text box lists the old value that was assigned to the object.
To
This text box lists the new value that is now assigned to the object.
NOTE: The To and From information does not apply to permission/ACL (Access Control List)
type changes and is replaced with the Changes section. This information is also not available
for occurrence type events, e.g., when an object is created or deleted.
Farm
For SharePoint events, this field displays the name of the SharePoint farm to which the
modified component belongs.
Site
For SharePoint events, this field displays the name of the SharePoint site to which the
modified component belongs.
Item URL
For SharePoint events, this field displays the URL of the SharePoint item that was modified.
Audited Host
For VMware events, this field displays the IP address or name of the ESX host or vCenter
server being audited (as specified in the VMware Auditing template).
Host
For VMware events, this field displays the name of the host where the change occurred.
Compute Res
For VMware events associated with compute resources, this field displays the name of the
compute resource where the change occurred.
VM
For VMware events, this field displays the name of the virtual machine where the change
occurred.
Net
For VMware events associated with network objects, this field displays the name of the
network object where the change occurred.
Data Center
For VMware events, this field displays the name of the datacenter where the change
occurred.
Store
For VMware events associated with datastore objects, this field displays the name of the
datastore where the change occurred.
DVS
For VMware events associated with a Distributed Virtual Switch (DVS), this field provides the
name of the DVS where the change occurred.
Mailbox
For Exchange Online Mailbox events, this field displays the account name of the online
mailbox where the change occurred.
Folder
For Exchange Online Mailbox events, this field displays the folder name where the change
occurred.
Cmdlet
For Exchange Online Administration events, this field displays the name of the administrative
cmdlet what was run.
Object
For Exchange Online Administration events, this field displays the name of the object within
the administrative cmdlet that was modified.
50
Description
Logon Start
For Logon Session events, this attribute displays the date and time when the user initially
logged onto the computer.
Logon End
For Logon Session events, if applicable this attribute displays the date and time when the
user logged out of the computer.
Duration
For Logon Session events, depending on the event this attribute displays how long the user
session lasted or how long the user was actually logged onto the computer.
Session Start
For Logon Session events, this attribute displays the date and time when the current user
session began.
Session End
For Logon Session events, if applicable this attribute displays the date and time when the
current user session ended.
Start
For SonicWALL events, this field displays the date and time when the activity started.
End
For SonicWALL events, this field displays the date and time when the activity ended.
Duration
For SonicWALL events, this field displays the duration of the activity.
Authentication
For SonicWALL events, if available from the firewall this field displays the user
authentication type (SSO, NTLM, local) used to access the web or cloud storage site.
User Zone
For SonicWALL events, if available from the firewall this field displays the zone name (e.g.,
LAN or WAN) of the user who initiated the activity.
Site IP
For SonicWALL events, if available from the firewall this field displays the IP address of the
site where the activity occurred.
Site Zone
For SonicWALL events, if available from the firewall this field displays the zone name (e.g.,
LAN or WAN) of the site where the activity occurred.
Site Port
For SonicWALL events, if available from the firewall this field displays the port number (80,
443, etc.) of the site where the activity occurred.
Site Application For SonicWALL events, if available from the firewall this field displays the application name
for the site where the activity occurred.
Site Category
For SonicWALL events, if available from the firewall this field displays the application
category for the site where the activity occurred.
Site Country
For SonicWALL events, if available from the firewall this field displays the IP address Geo-IP
country location for the site where the activity occurred.
<list>
For SonicWALL events, if available from the firewall this field displays the full URL(s) of the
site where the activity occurred.
For each search that is run, a new search results page will automatically be created and opened,
allowing you to view the event records returned.
When multiple search results are active, select the heading tab at the top of a search page to view the
selected search results.
Use the column controls to sort, rearrange, or group the data displayed. See Customize table content for
more information on using the column controls to customize the content of this page.
Change Auditor also provides advanced filtering options that allow you to modify the results of a search
without changing the original search. Click in the Click here to filter data ... cell to enter the criteria to
be used to filter the data displayed. See Filter data for more information on using Change Auditors
filtering feature.
Dell Change Auditor 6.7
User Guide
51
Data Grid: Select the data grid icon to redisplay the data in the grid format (default format).
Pie Chart: Select the pie chart icon to display a pie chart showing the correlated data. Move your cursor
over the pieces in the pie chart to display the label and number of items that make up that piece of the
pie.
Bar Graph: Select the bar graph icon to display a bar graph showing the correlated data. Move your
cursor over the bars in the graph to display the label and number of items that make up that bar.
NOTE: The Pie Chart and Bar Graph displays are only available when a single level grouping has been
applied to the data grid. Also, when the search results are too numerous to chart, a message will display
stating that there are too many items to display them all.
Open the Search Results page for a search where you want to preview changes based on new search
criteria.
Click the Search Properties tool bar button or right-click command to display the Search Properties tabs
across the bottom of the page.
Modify the search criteria and then click the Preview Changes tool bar button from one of the Search
Properties tabs.
The results of the modified search appears at the top of the open Search Results page. An asterisk is
appended to the name in the tab denoting that the search properties have been modified and these
changes have not yet been saved.
Once you achieve the desired results, you can use the Save or Save As tool bar buttons on one of the
Search Properties tabs to save the modifications made to the search criteria.
52
Run the searches to be compared. On the Search Results pages, we recommend that you hide the Event
Details pane and Search Properties tabs so that when the screen spits, you will have more space for
viewing events.
Right-click the heading tab of one of these Search Results pages and select one of the following
commands:
New Horizontal Tab Group - to view two or more panes down the screen.
New Vertical Tab Group - to view two or more panes across the screen.
This will split the screen (either horizontally or vertically depending on the command selected)
displaying multiple pages in the single view.
To move a page from one pane to another, right-click the heading tab of the page to be moved and select
the Move to Next Tab Group menu command. This will move the selected page to the other pane
displayed. To move this page back, right-click the heading tab and select the Move to Previous Tab
Group menu command.
To close the split screen and return to a single pane, use the Action | Reset Display menu command.
53
Open a Search Results tab and select an event from the Search Results grid.
If neither the Search Properties tabs or Event Details pane are being displayed (or the Search Properties
tabs are displayed), use one of the following methods to display the event details:
Open a Search Results tab and select an event from the Search Results grid.
If neither the Search Properties tabs or Event Details pane are being displayed (or the Event Details pane
is displayed), use one of the following methods to display the search properties:
Open a Search Results tab and select an event from the Search Results grid.
Use one of the following methods to launch the Change Auditor knowledge base:
From the Search Results grid, right-click the event and select Knowledge Base.
From the Event Details pane, click the Knowledge Base tool bar button.
This will open your browser and display the associated Event Reference Guide.
54
Open a Search Results tab and select an event from the Search Results grid.
Use one of the following methods to email the selected events details:
Right-click the event in the Search Results grid and select Email.
From the Event Details pane, click the Email tool bar button.
NOTE: You can also hold down the Shift key while clicking the Email button to email additional
event details. This additional information may be requested from the Dell Support staff for
troubleshooting purposes.
This will create a new email containing the contents of the Event Details pane. Enter the recipient's
email address (in the To and CC fields) and edit the subject line if desired.
Click Send.
If applicable, the Internet Connection wizard will be displayed allowing you to create a new Internet
account, which includes the following information:
display name as you would like it to appear in the From field of the outgoing message
Open a Search Results tab and select an event from the Search Results grid.
Use one of the following methods to copy the contents to the clipboard:
Open the application (e.g., Notepad) to which the content is to be pasted, right-click and select Paste.
Add comments
Change Auditor allows you to append comments to an event which can then be later specified as search criteria
to retrieve all the events that contain a specific comment or keyword.
Open a Search Results tab and select an event from the Search Results grid.
Use one of the following methods to add or append comments to the selected event:
From the Event Details pane, click the Comments tool bar button.
Dell Change Auditor 6.7
User Guide
55
This will display the Comments dialog. In the New Comments text box at the bottom of this dialog, enter
the comments to be associated with the selected event.
Click OK to close the dialog and return to the Search Results tab.
To view comments:
1
Open a Search Results tab and select an event from the Search Results grid.
Use one of the following methods to view or append comments to the selected event:
From the Event Details pane, click the Comments tool bar button.
This will display the Comments dialog where previously entered comments are displayed in the top pane.
To append a new comment to those that already exist, use the text box at the bottom of the screen to
enter your new comment.
Click OK to close the dialog and return to the Search Results tab.
Who: Select this option to run a query for all change events generated by this user during the same date
interval as that specified in the When tab of the selected event.
View Contact Card: For events with a user object, select this option to view contact information and
group membership for this user.
Where: Select this option to run a query for all change events captured by this agent during the same
date interval as that specified in the When tab of the selected event.
View Resources: Select this option to display the Resource Properties pane for this server, which
includes: Machine Info, Processors, Drives, Shares, Services, and if applicable Exchange Mailboxes.
See Resource Properties pane for more details about the resource details provided.
What: Select this option to run a query for change events captured for this event class during the same
date interval as that specified in the When tab of the selected event.
When: Select this option to run a query for change events that occurred on this date.
Origin: Select this option to run a query for change events that originated from this workstation or
server during the same date interval as that specified in the When tab of the selected event.
Object: Select this option to run a query for change events generated against this object during the
same date interval as that specified in the When tab of the selected event.
NOTE: When selecting an object that contains a path, the related search will only return related
events where the full paths are the same.
NOTE: This last option is the object from the original event, such as a file or folder, directory
object, registry key, etc.
56
At the top of the Search Results page, select an event to display the related Event Details pane.
At the top of the Event Details pane, click the arrow to the right of the Related Search tool bar button
and select View Contact Card.
The contact information appears for the user who initiated the change in the selected audit event. In
addition, the Member Of pane on this dialog lists the groups to which this user belongs.
At the top of a Search Results page, select an event to display the related Event Details pane.
At the top of the Event Details pane, click the arrow to the right of the Related Search tool bar button.
Click the first entry in the context menu, which is the name of the user who initiated the change in the
selected audit event.
A new Search Results page appears populated with all change events generated by this user during the
same date interval as that specified in the When tab of the selected event.
Note that the users name is used as the Search Name (name on tab) for this new query.
To view resource properties about the server where the change occurred:
1
At the top of the Search Results page, select an event to display the related Event Details pane.
At the top of the Event Details pane, click the arrow to the right of the Related Search tool bar button.
The Resource Properties pane appears which contains additional details about the server where the
change occurred. See Resource Properties pane for more information about the content of the tabbed
pages on this pane.
57
7
Custom Searches and Search Properties
Introduction
Introduction
Change Auditor enables you to create custom search definitions to search for the configuration changes that
need to be tracked in your environment. You will use the search properties tabs across the bottom of the
Searches page to define new custom searches.
This chapter provides steps on how to create custom searches and to preview search results. It also provides a
description of the Search Properties tabs and how to use these tabs to customize your searches. For a
description of the other dialogs mentioned in this chapter, refer to the online help.
In the explorer view (left pane), expand and select the folder where you want to save your search.
Selecting the Private folder will create a search that only you can run and view, whereas selecting the
Shared folder will create a search which can be run and viewed by all Change Auditor users.
Click the New tool bar button at the top of the Searches page (or right-click a folder and select the New
| New Search menu command).
Who - allows you to search for events generated by a specific user, computer or group
What - allows you to search for events based on subsystem, event class, object class, severity or
result
Where - allows you to search for events captured by a specific agent, domain or site
When - allows you to search for events that occurred during a specified date/time range
Origin - allows you to search for events that originated from a specific workstation or server
NOTE: When you specify criteria on more than one search properties tab (e.g., Who, What and
Where tabs), Change Auditor first evaluates each individual tabs criteria and then chains the
individual tabs criteria together using the AND operator, returning only those events that meet
all of the search properties specified on the different tabs.
Dell Change Auditor 6.7
User Guide
58
If you want to be notified when an event is captured as a result of this custom search, open the Alert tab
to enable and define how and where to dispatch alerts when the selected search criteria is met. Refer to
Enable Alert Notifications for more information on setting up alert notifications.
Once you have defined the search criteria to be used, you can either save the search definition or run
the search.
To save and run the search, click Run from one of the Search Properties tabs.
To save the search definition without running it, click Save from one of the Search Properties
tabs.
To create a new search using a different name than was initially entered, click Save As | Save As
from one of the Search Properties tabs.
To save the search definition as the new default for new searches, click Save As | Save As
Default from one of the Search Properties tabs.
Info tab
Who tab
What tab
Where tab
When tab
Origin tab
Layout tab
SQL tab
XML tab
From the Searches page, use one of the following methods to display/activate these tabs:
right-click a folder (left pane) or search definition (right pane) and select Show Properties
select a folder (left pane) or search definition (right pane) and click the New | New Search tool
bar button or right-click command
NOTE: You can also display the Search Properties tabs from a Search Results tab, using the Search
Properties tool bar button or right-click command.
in the upper right corner of the Search Properties tab pane to hide this pane.
59
Info tab
The Info tab is the first of the Search properties tabs. From this tab, you can view or enter the name and
description of a search definition. You can also define the maximum number of records to be retrieved and
displayed, or enable a refresh interval that defines how often the client is to retrieve and redisplay updated
information.
The Info tab contains the following information/controls:
Table 7. Info tab: Field/control descriptions
Field/Control
Description
Search Name
Search Description
Search Limit
Refresh Interval
Specifies how often the client is to retrieve and redisplay updated information.
Select this check box and use the arrow controls to enable and set the refresh
interval for the selected search.
When this option is checked, an additional field, Next Refresh, will be added to the
heading area of the Search Results grid.
NOTE: This option is not checked by default for new searches, only for the default
favorite search (Change Auditor Real-Time) used in the Overview page. The default
interval for the default favorite search is five minutes.
Place your cursor in the Search Name text box and enter a descriptive name for the search.
NOTE: If you do not enter a new name for your search, it will be named New Search.
Place your cursor in the Search Description text box and enter a brief description of the search. This
step is optional.
After entering the search name and optional description, proceed to the other Search Properties tabs to
enter the search criteria.
To restrict the search results to a specific number of records, ensure that the Search Limit check box is
checked.
60
Select the Refresh Interval check box to enable this feature and activate the field to the right of this
field.
NOTE: This option is not checked by default for new searches, only for the default favorite search
(Change Auditor Real-Time) used in the Overview page. The default interval for the default
favorite search is five minutes.
Enter or use the arrow controls to set the refresh interval (how many minutes between refreshes) for the
selected search.
When this option is checked, an additional field, Next Refresh, will be added to the heading area of the
search results grid whenever this search is run.
Who tab
The Who tab allows you to view or define the users, computers and/or groups to be included in (or excluded
from) the search definition. When multiple who criteria is specified on this tab, Change Auditor uses the OR
operator to evaluate change events, returning events for activity performed by any of the users, computers, or
groups listed.
NOTE: You can add a group to a search to find all events made by the members of that group. Change
Auditor must expand and store the membership of the group before all expected events are returned
when the search is run. When the search is saved, Change Auditor will expand the group if it has not
already been expanded. This may take several minutes, depending on your environment. Refer to Group
Membership Expansion pane for the options available regarding group expansion.
NOTE: Activity performed by an account specified in an Excluded Accounts template will not be captured
by the agent(s) to which this template is assigned. Thus, Change Auditor will not return any audit events
for these excluded accounts even if you specify them in your who search criteria. For more information
on excluding accounts, refer to Account Exclusion.
The Who tab contains the following information/controls:
Table 8. Who tab: Field/control descriptions
Field/Control
Description
Runtime Prompt
Select this check box to prompt for the who criteria when this search is executed.
That is, when the Run tool bar button is selected, the Select Active Directory
Object dialog will be displayed allowing you to locate and select the users,
computers or groups to be searched.
NOTE: When this check box is checked, the Add tool bar buttons will be
deactivated.
NOTE: You cannot enable alerting for search definitions that use the Runtime
Prompt option.
Select this check box to specify the users, computers or groups to be excluded from
the search. That is, Change Auditor is to search all users, computers and groups
except those listed.
61
Description
Select this check box if you want to include events generated by One Identity
ActiveRoles Server or GPOADmin in the search. Selecting this check box instructs
Change Auditor to retrieve all change events made by the specified user account,
including those initiated by One Identity ActiveRoles Server and GPOADmin.
NOTE: An additional column (Initiator UserName) is added to the Search Results
grid that contains the user information of who made the change through One
Identity ActiveRoles Server or GPOADmin.
Who list
Contains the individual users, computers and/or groups to be included in the search
(or excluded from the search if the Exclude the Following Selection(s) option is
checked).
By default, all users, computers and groups will be included in a new search
definition and therefore, this list will be empty.
On the Who tab, click the Add tool bar button to add an active user, computer or group to the who list.
On the Select Active Directory Object dialog, use either the Browse or Search page to search your
environment to locate and select the user, computer or group to be included. Click the Add button to
add it to your selection list.
Repeat to include each additional directory object.
After selecting one or more directory objects, click the Select button to save your selection and close
the dialog.
NOTE: You can use the Add with Events tool bar button (instead of Add) to select a user, computer
or group that already has an audit event associated with it in the database. The accounts available
for selection are based on the when clause (When tab) and the search limit (Info tab) specified
for the current search.
Use this feature to search for events that are tied to users who have been removed from Active
Directory .
4
When this search is run, Change Auditor will now search for change events generated by only the user(s),
computer(s) and group(s) listed on the Who tab.
TIP: If you are running One Identity ActiveRoles Server or GPOADmin and want to include events
generated by One Identity ActiveRoles Server or GPOADmin in the search, select the Include Event
Source Initiator check box. For more information, see the Dell One Identity ActiveRoles Server
Integration or Dell GPOADmin Integration appendices in the Dell Change Auditor Installation
Guide.
On the Who tab, expand the Add tool bar button and select the Add Wildcard Expression option.
On the Add Who dialog, enter the wildcard expression to be used to search for a user (domain\user
name) or group (domain\group name):
In the field to the right, enter the pattern (character string and * wildcard character) to be used
to search for a match. Use the * wildcard character to match any string of zero or more
characters.
For example, LIKE *admin* will find all users with the character string admin anywhere in the
name.
Dell Change Auditor 6.7
User Guide
62
By default, the wildcard expression will be used to search for a user. To search for a group, select
the Group option.
NOTE: When using the Group option, the Group Membership Expansion option on the
Coordinator Configuration page (on the Administration Tasks tab) must be set to Expand all
groups.
After entering the wildcard expression to be used, click the OK button to close the dialog and add the
wildcard expression to the who list.
When this search is run, Change Auditor will search for change events generated by the users (or users
that are members of the groups) whose name matches the specified wildcard expression.
What tab
Use the What tab to define what entities are to be included (or excluded) in the search. More specifically,
using this tab you can create a search for events based on:
Subsystem
Event Class
Object Class
Severity
Result
When criteria is specified on the What tab, Change Auditor will retrieve only those events that match the
criteria listed on the What tab. When multiple what criteria is specified on this tab, Change Auditor uses the
AND operator to evaluate an event and returns only those events that meet all the specified criteria. However,
when multiple subsystems (e.g., Active Directory, ADAM and Exchange) are specified, Change Auditor uses the
OR operator to evaluate these entities, returning events that meet any of the specified subsystem criteria.
This also applies when multiple event classes are specified. That is, when multiple event classes are specified,
Change Auditor uses the OR operator and returns any of the specified events.
NOTE: By default, all Change Auditor events will be included in a new search definition and therefore the
list box on the What tab will be empty.
Once criteria is added, the criteria list box contains an expandable view displaying the following information for
all the criteria defined for the search definition:
Entity
Lists the entity (subsystem, event class, object class, severity or result) selected. Expanding the Entity
entry displays the specific criteria and any options or restrictions, defined as part of the search criteria.
Exclude
Indicates whether the criteria is to be included in (False) or excluded from (True) the search definition.
Action(s)
When applicable, this column displays the actions (all, add attribute, delete attribute, modify attribute,
rename object, add object, delete object, or other) included in the search definition.
Transport(s)
When applicable, this column displays the transports (all, SSL/TLS or Sign/Seal) included in the search
definition.
63
Click the expansion box to the left of the Entity field to expand this view to display the following details:
Object
Displays the object selected for auditing.
Restriction
If applicable, this field displays the additional restrictions specified for the search definition.
NOTE: Only displayed when the entity is an Event Class.
Scope
Indicates the scope specified (All Object, This Object, This Object and Child Objects Only, This Object
and All Child Objects).
NOTE: Only displayed when the entity is Active Directory, ADAM, Exchange, File System, Group
Policy, Local Account or Registry.
Action(s)
Lists the actions specified in the search criteria (e.g., Add Object, Delete Object, Move Object, etc.).
NOTE: Only displayed when the entity is Active Directory, ADAM, Exchange, File System, Group
Policy, Local Account or Registry.
Transport(s)
Lists the transports included in the search criteria (All, SSL/TLS or Sign/Seal).
NOTE: Only displayed when the entity is Active Directory, ADAM, Exchange or AD Query.
64
Object Class - Dell Change Auditor for Active Directory User Guide
Subsystem | Active Directory - Dell Change Auditor for Active Directory User Guide
Subsystem | AD Query - Dell Change Auditor for Active Directory Query User Guide
Subsystem | ADAM (AD LDS) - Dell Change Auditor for Active Directory User Guide
Subsystem | Exchange Online - Dell Change Auditor for Exchange User Guide
Subsystem | File System - Dell Change Auditor for Windows File Servers User Guide, Dell
Change Auditor for EMC User Guide or Dell Change Auditor for NetApp User Guide
Subsystem | Group Policy - Dell Change Auditor for Active Directory User Guide
Subsystem | Logon Activity - Dell Change Auditor for Logon Activity User Guide
Subsystem | SQL - Dell Change Auditor for SQL Server User Guide
On the What tab, click the Add tool bar button. (Or expand the Add button and select Event Class.)
NOTE: You can use the Add with Events | Event Class command (instead of Add | Event Class) to
select an entity that already has an event in the database.
On the Add Facilities or Event Classes dialog, select a single event, click the Add button and select the
Add This Event or Add All Events in Facility command.
NOTE: When multiple events are selected, Change Auditor uses the OR operator to evaluate the
change events, returning any of the events specified.
Depending on the event class entry selected in the data grid, an additional Restriction pane may be
displayed across the middle of this dialog.
For some event classes, use the restriction pane to specify 'from' and/or 'to' value restrictions. To define
a restriction, select the appropriate check box and enter the value.
For other event classes (such as DNS Zone, Distribution and Security groups), use the restriction pane to
apply filter options for filtering by individual parameter values (for example, auditing of static DNS
entries).
65
To do this, select the Filter by parameter check box and then select from the available parameter
values that are activated (e.g., for the DNS Entry Type parameter, you can select Static and/or
Automatically expiring).
4
Once you have defined the restrictions, use either the Add or Update Restriction buttons as described
below:
If the event has not been added to the Selections list box, click the Add button to add the event
to the selection list.
If the event was previously added to the Selections list box, click the Update Restriction button
to update the restrictions for the event.
NOTE: You can also use the Shift and Ctrl keys to add multiple event classes to the selection list.
However, the restrictions pane and the Add | Add All Events in Facility command will not be
available when multiple event classes are selected.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for all event
classes/facilities except those listed in the what list.
NOTE: Select the Runtime Prompt check box on this dialog, to prompt for the facility or event
class criteria every time the search is run. When this check box is checked, the data grid and
buttons on this dialog will be disabled.
You cannot enable alerting for search definitions that use the Runtime Prompt option.
Once you have made your selection(s), click the OK button to save your selection and close the dialog.
The search criteria listed on the What tab now defines what will be searched for when this search is run.
On the What tab, expand the Add tool bar button and select Subsystem | Local Account.
NOTE: You can use the Add with Events | Subsystem | Local Account command (instead of Add |
Subsystem | Local Account) to select an entity that already has an event in the database.
On the Add Local Account dialog, select one of the following options to define the scope of coverage:
If you selected This Object, the data grid, which displays a list of all the users and groups in the local
SAM databases on the selected Member Server, and associated buttons will be enabled.
To add an account, select the account in the data grid and click the Add button to add it to the selection
list at the bottom of the dialog. Repeat to add additional accounts.
To replace an account in the selection list, select the new account in the data grid, select the old
account in the selection list and click the Update button. The entry in the selection list will be replaced
with the new account.
66
To select a local account on a different computer, click the Browse button to the right of the Account
field. On the Select Active Directory Object dialog, use the Browse or Search pages to locate and select
another computer. Click the Select button to save your selection and close the dialog.
On the Add Local Account dialog, the local user and group accounts available on the specified computer
will then be displayed in the data grid.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events
generated by all local accounts except those listed in the what list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a local account every
time the search is run. When this check box is checked, the data grid and buttons on this dialog
will be disabled.
You cannot enable alerting for search definitions that use the Runtime Prompt option.
Once you have selected the local accounts to be included in the search, click the OK button to save your
selection and close the dialog.
When this search is run, Change Auditor will search for events generated by the local account(s) listed on
the What tab.
On the What tab, expand the Add tool bar button and select Subsystem | Registry.
NOTE: You can use the Add with Events | Subsystem | Registry command (instead of Add |
Subsystem | Registry) to select an entity that already has an event in the database.
On the Add Registry Key dialog, select one of the following options to define which system registry keys
are to be included in your search definition:
All Registry Keys - select this option to include all registry keys
This Object - select this option to include only the selected objects
This Object and Child Objects Only - select this option to include the selected objects and its
direct child objects
This Object and All Child Objects - select this option to include the selected objects and all
subordinate objects (in all levels)
By default, All Actions is selected meaning that all of the registry actions listed will be included in the
search definition. However, you can clear the All Actions option and select individual actions for
auditing.
Select one or more of the following options:
All Actions - select this option to include all of the actions. When this option is selected, all of
the other options are disabled. (Default)
Add Value - select this option to include when a new value is added to the selected registry key.
Delete Value - select this option to include when a registry key value is removed.
Modify Value - select this option to include when a registry key value is modified.
Add Key - select this option to include when a new registry key is added.
Delete Key - select this option to include when a registry key is removed.
When a scope option other than the All Registry Keys option is selected, the registry key hierarchy will
be enabled allowing you to locate and select an individual registry key.
67
Expand the hierarchy to locate and select a registry key. Then click the Add button to add it to the
selection list box at the bottom of the dialog. Repeat to add additional registry keys.
NOTE: If you selected the Add With Events command, the registry key hierarchy pane will be
replaced with a data grid listing the registry keys that have an event associated with it in the
database.
5
To replace a registry key in the selection list, select the new registry key in the hierarchy, select the
old key in the selection list and click the Update button. The entry in the selection list will be replaced
with the new registry key.
To select a registry key on a different computer, click the Browse button to the right of the Path field.
On the Select a Directory Object dialog, use the Browse or Search pages to locate and select another
computer. Click the Select button to save your selection and close the dialog.
On the Add Registry Key dialog, the system registry keys associated with the specified computer will then
be displayed in the hierarchy view.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events in all
registry keys except those listed in the what list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a registry key every time
the search is run. When this check box is checked, the hierarchy pane/data grid and buttons on
this dialog will be disabled.
You cannot enable alerting for search definitions that use the Runtime Prompt option.
Once you have selected the registry keys to be included in the search, click the OK button to save your
selection and close the dialog.
When this search is run, Change Auditor will search for the selected events (actions) in the registry
key(s) listed on the What tab.
On the What tab, expand the Add button and select Subsystem | Service.
NOTE: You can use the Add with Events | Subsystem | Service command (instead of Add |
Subsystem | Service) to select an entity that already has an event in the database.
On the Add Service dialog, select one or more services from the list at the top of the dialog and click the
Add button to move them to the selection list box at the bottom of the page.
You can also click the Add All button to include all the listed services in the search definition.
To select services on a different computer, click the Browse button to the right of the You are viewing
services on field. On the Select a Directory Object dialog, use the Browse or Search pages to locate and
select another computer. Click the Select button to save your selection and close the dialog.
On the Add Services dialog, the services found on the specified computer will then be displayed.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for events to all
services except those listed in the what list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a service every time the
search is run. When this check box is checked, the data grid and buttons on this dialog will be
disabled.
You cannot enable alerting for search definitions that use the Runtime Prompt option.
Once you have selected the services to be included in the search, click the OK button to save your
selection and close the dialog.
When this search is run, Change Auditor will search for change events to the service(s) listed on the What
tab.
Dell Change Auditor 6.7
User Guide
68
On the What tab, expand the Add button and select Subsystem | VMware.
NOTE: You can use the Add with Events | Subsystem | VMware command (instead of Add |
Subsystem | VMware) to select a host that already had an event associated with it in the
database.
On the Add VMware Host dialog, select the This Object option. Selecting this option enables the
remaining fields/controls on this dialog.
Click the check box under the Host Name heading to specify the VMware host (vCenter
or host computer) to be included in the search.
Server
Enter the full name of a VMware host (vCenter Server or individual host computer) or a
pattern (character string and * wildcard character) to be used to search host names for a
match. Use the * wildcard character to match any zero or more characters. For example,
Like *host* will find VMware hosts that contain host anywhere in their name.
To restrict the search to a specific virtual machine, click the check box under the VM Name
heading.
Enter the full name of the virtual machine or a pattern (character string and * wildcard
character) to be used to search virtual machine names for a match. Use the * wildcard
character to match any zero or more characters. For example, Like *dc* will find virtual
machines that contain dc anywhere in their name.
NOTE: If both the Host Name and VM Name are specified, both expressions must be met
before an event will be returned.
Click the Add button to add the expression to the selection list at the bottom of the page.
Repeat this step to add any additional VMware hosts and/or VMs to the search query.
NOTE: When multiple entries are added to the selection list at the bottom of this page, Change
Auditor uses the OR operator to evaluate change events, returning events that meet any of the
entries listed.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to
all VMware hosts EXCEPT those listed in the what list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for the VMware host every
time the search is run. When this check box is checked, the options on this dialog are disabled.
You cannot enable alerting for search definitions that use the Runtime Prompt option.
3
Once you have defined the VMware hosts/virtual machines to be included in the search, use the OK
button to save your selection and close the dialog.
When this search is run, Change Auditor will search for changes to VMware hosts/virtual machines that
meet the expression(s) specified on the What tab.
69
On the What tab, expand the Add button and select Severity.
NOTE: You can use the Add with Events | Severity command (instead of Add | Severity) to select
a severity that already has an event associated with it in the database.
On the Add Severities dialog, select one or more severity levels and click the Add button to add them to
the selection list box at the bottom of the dialog.
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for all events
except those assigned a severity level that is listed in the what list.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a severity every time the
search is run. When this check box is checked, the data grid and buttons on this dialog will be
disabled.
You cannot enable alerting for search definitions that use the Runtime Prompt option.
Once you have defined the severity level(s) to be included in the search, use the OK button to save your
selection and close the dialog.
When this search is run, Change Auditor will search for events with the severity level(s) that are included
on the What tab.
On the What tab, expand the Add button and select Result.
NOTE: You can use the Add with Events | Result command (instead of Add | Result) to select an
entity that already has an event associated with it in the database.
On the Add Results dialog, select one or more result (none, success, protected or failed) and use the Add
button to add them to the selected list box at the bottom of the dialog.
NOTE: Select the Exclude The Above Selection(s) check box if you want to search for all events
except those with the selected result.
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a result every time the
search is run. When this check box is checked, the data grid and buttons on this dialog will be
disabled.
You cannot enable alerting for search definitions that use the Runtime Prompt option.
Once you have defined the result(s) to be included in the search, use the OK button to save your
selection and close the dialog.
When this search is run, Change Auditor will search for events with the result(s) that are included on the
What tab.
Where tab
The Where tab allows you to specify which Change Auditor agents are to be included (or excluded) in the search
definition. You can select individual Change Auditor agents, all agents in a specific domain or a given site. When
multiple where criteria is added to this tab, Change Auditor uses the OR operator to evaluate change events,
returning events that were captured by any of the specified agents, domains or sites.
70
Description
Runtime Prompt
Select this check box to prompt for the where criteria whenever the search is run.
That is, when the Run tool bar button is selected, the Select Active Directory
Objects dialog will be displayed allowing you to locate and select the agent(s),
domain(s) or site(s) to be included in the search definition.
NOTE: When this check box is checked, the Add tool bar buttons will be
deactivated.
NOTE: You cannot enable alerting for search definitions that use the Runtime
Prompt option.
Select this check box to specify the agents, domains or sites to be excluded from
the search. That is, Change Auditor is to return events generated from all Change
Auditor Agents except those listed in the Where list.
Where list
By default, all agents will be included in a new search and therefore this list box
will initially be empty.
Once criteria is selected, this list box will contain the agents, domains and sites to
be included in the search (or excluded from the search if the Exclude the
Following Selection(s) option is checked).
Open the Where tab and click the Add tool bar button.
On the Choose the Agents, Domains or Sites to Include dialog, use the Browse or Search pages to locate
and select an individual agent, a domain or a site.
NOTE: You can also select the Grid View option to select an agent from a list rather than using the
Explorer View to locate it within your environment.
Click the Add button to add your selection to the selection list box at the bottom of the page.
NOTE: You can use the Add With Events button (instead of Add) to select an agent, domain or site
which already has an event associated with it in the database.
Once you have selected the agents, domains and sites to be included in the search, click the OK button
to save your selection and close the dialog.
The agents, domains and/or sites listed on the Where tab now define where the search will be conducted
when this search is run.
On the Where tab, expand the Add tool bar button and select the Add Wildcard Expression option.
On the Add Where dialog, enter the wildcard expression to be used to search for an agent (NetBIOS
name), domain or site:
In the field to the right, enter the pattern (character string and * wildcard character) to be used
to search for a match. Use the * wildcard character to match any string of zero or more
characters.
For example, LIKE *local will find all agents whos NetBIOS name ends in local.
By default, the wildcard expression will be used to search for an agent. To search for a domain or
site, select the Domain or Site option.
Dell Change Auditor 6.7
User Guide
71
After entering the wildcard expression to be used, click the OK button to close the dialog and add the
wildcard expression to the where list.
When this search is run, Change Auditor will search for change events generated on the domains, sites or
agents whose name matches the specified wildcard expression.
When tab
The When tab allows you to limit the returned results of the search by date and/or time. By default, a new
search is set to include the change events captured this week.
Description
Runtime Prompt
Select this check box to prompt for the date and/or time interval whenever the
search is run. That is, when the Run tool bar button is selected, the When dialog
will be displayed allowing you to specify the date/time range to be used in your
search.
NOTE: When this check box is checked, the Add tool bar buttons will be
deactivated.
NOTE: You cannot enable alerting for search definitions that use the Runtime
Prompt option.
Date Interval
Check one of the following options to change the default setting and define a different date range to limit
your search.
From/To
Last
From: Enter the start date for your date range; or click the arrow control to
display a calendar from which to select the start date. Only events that
occurred on or after this date will be included in the search.
To: Enter the end date for your date range; or click the arrow control to
display a calendar from which to select the end date. Only events that
occurred before or on this date will be included in the search.
Select this check box and the appropriate relative date and value (i.e., number of
minutes, hours, days, weeks, months, quarters or years).
NOTE: Relative dates are calculated based on the actual date and time when the
search is started.
72
Description
This
Select this check box and click the arrow control to select the appropriate
date/time interval:
This Day: Start parameter is TODAY at midnight local time; end parameter is
the current date and time.
This Week: Start parameter is midnight local time on the day specified in
the First Day of Week parameter (Regional and Location setting) on the local
machine (e.g., SUNDAY); end parameter is the current date and time.
(Default for new searches.)
This Month: Start parameter is the first day of the current month at
midnight local time; end parameter is the current date and time.
Time Interval
Use this pane to specify a time range to further limit your search.
From
Use the arrow controls to select or enter the starting time for your time range. Only
events that occurred at or after this time will be included in the search.
To
Use the arrow controls to select or enter the ending time for your time range. Only
events that occurred before or at this time will be included in the search.
Reset
In the Date Interval pane, check one of the following options to specify a date range to limit your search:
From/To - select this option and enter the date range to be used.
Last - select this option and the appropriate relative date and value (i.e., number of minutes,
hours, days, weeks, months, quarters or years).
This - select this option and click the arrow control to select the appropriate time interval (i.e.,
Day, Week or Month).
In the Time Interval pane, optionally specify a time range to further limit your search.
73
Origin tab
The Origin tab allows you to search for events based on the workstation or server from which the event
originated. When multiple origin criteria is specified on this tab, Change Auditor uses the OR operator to
evaluate change events, returning events that originated from any of the specified workstations or servers.
The Origin tab contains the following information/controls:
Table 11. Origin tab: Field/control descriptions
Field/Control
Description
Runtime Prompt
Select this check box to prompt for the originating workstation or server whenever
the search is run. That is, when the Run tool bar button is selected, the Add Origin
dialog will be displayed allowing you to enter the wildcard expression to locate a
specific workstation or server.
NOTE: When this check box is checked, the Add tool bar buttons will be
deactivated.
NOTE: You cannot enable alerting for search definitions that use the Runtime
Prompt option.
Origin list
By default, all events regardless of where they originated will be included in a new
search and therefore this list box will initially be empty.
Once criteria is selected, this list box will contain the wildcard expression used to
locate the workstation(s) and server(s) to be included in the search (or excluded
from the search if the Exclude the Following Selection(s) option is checked).
On the Add Origin dialog, enter the wildcard expression to be used to search for a workstation or server,
based on its NetBIOS name or IP address:
In the field to the right, enter the pattern (character string and * wildcard character) to be used
to search for a match. Use the * wildcard character to match any string of zero or more
characters.
After entering the wildcard expression to be used, click the OK button to close the dialog and add the
wildcard expression to the origin list.
When this search is run, Change Auditor will search for change events originating on
workstations/servers whose name or IP address matches the specified wildcard expression.
NOTE: You can use the Add with Events tool bar button (instead of Add) to select a workstation or server
that already has an event associated with it in the database. The workstations/servers available for
selection are based on the when clause (When tab) and the search limit (Info tab) specified for the
current search.
Alert tab
The Alert tab allows you to enable alerting and define how and where to dispatch alerts. Refer to Alert tab
(Search Properties tabs) for a detailed description of the contents of this tab.
Dell Change Auditor 6.7
User Guide
74
Report tab
The Report tab allows you to enable reporting and define when and where to send the email report. Refer to
Report tab (Search Properties tabs) for a detailed description of the contents of this tab.
Layout tab
NOTE: In previous versions of Change Auditor, this tab was referred to as the Advanced tab.
Using the Layout tab, you can define the data (columns) to be retrieved from the database and displayed for the
selected search. From this tab you can also define the column order, sort criteria and order, groupings and the
format to be used for displaying the retrieved data. The layout defined on this tab is used for both displaying
the search results in the client and for the report layout when reporting is enabled on the Report tab.
Description
Unselected Columns
Displays the event details that can be retrieved from the database.
Selected Columns
Displays the event details that are being retrieved from the database. It also
displays the order in which the columns will be presented, i.e., the top entry will
be the left-most column in the search results grid/report.
To add and remove columns from this table, use the buttons to the left of the table:
To rearrange or sort the columns for display, use the buttons to the right of the
table:
Adds the selected column to the Sort Criteria table. This column is
placed after the column selected in the Sort Criteria table.
Removes the column selected in the Sort Criteria table from the sort
criteria.
75
Description
Sort Criteria
Order By - specifies the column(s) to be used to sort the data. The primary
sort criteria is listed first.
To rearrange the sort criteria, use the buttons to the right of the table:
Search Results
Resets the Sort Criteria and Display Results tables back to the factory
defaults.
Specifies the format to be used to display the search results on the Search Results
page.
When a grouping is defined, select one of the following options:
In a Grid (default)
As a Pie Chart
As a Bar Graph
NOTE: These options are only available when a single level of grouping is defined
(i.e., only one column contains a Yes in the Group By column of the Sort Criteria
table).
NOTE: The options in this table apply only to the search results in the client; they
do not apply to reports.
Review the columns listed in the Selected Columns table (second table from the left) to determine if it
contains the information you want to display for the selected search.
To add a column, select the column from the Unselected Columns table and click the right arrow button
(located between the first two tables) to move it to the Selected Columns table.
You can also drag and drop a column to the Selected Columns table.
To remove a column from display, select the column from the Selected Columns table and click the left
arrow button (located between the first two tables) to move it back to the Unselected Columns table.
You can also drag and drop a column back to the Unselected Columns table.
The Selected Columns table also displays the order the columns will be presented. To rearrange the
order of the columns, in the Selected Columns table select the column to be moved and click the up or
down arrow button (located to the right of the Selected Columns table) to move the selected column to
the desired location. The top entry will be the left-most column in your display/report.
You can also drag and drop columns in this table to define the order.
NOTE: To reset the column selection and arrangements in the Selected Columns table back to the
factory defaults, click the restore button
table.
The Sort Criteria table (third table) defines the order to be used to sort the search results. To define the
sort criteria for your search results, select a column in the Selected Columns table and click the right
arrow button (located to the right of the Selected Columns table) to move it to the Sort Criteria table.
76
To specify secondary sort criteria, add the additional column to the Sort Criteria table. Use the arrow
controls to the right of the Sort Criteria table to define the primary (first column in list) and subsequent
sort criteria.
You can also drag and drop columns between the Selected Columns and Sort Criteria tables and within
the Sort Criteria table to define the sort criteria.
7
To change the direction, ascending or descending, select a column in the Sort Criteria table, click in the
Direction cell and select either ascending (ASC) or descending (DESC) from the drop-down menu.
In addition, you can use the Group By column to define groupings. To group the selected searchs results,
select the column to be used for the grouping, click in the Group By cell and select Yes from the dropdown menu.
When a single level of grouping is defined (only one column contains a Yes in the Group By column of the
Sort Criteria table), you can select one of the following options in the Display Results table to define the
display format to be used for the selected search:
In a Grid (default)
As a Pie Chart
As a Bar Graph
NOTE: The settings in the Search Results table does not apply to reports.
NOTE: To reset the settings in the Sort Criteria table and Search Results table back to the default
settings, click the restore button
Criteria table.
10 Click one of the following tool bar commands to save your selections:
Save
Save As | Save As
SQL tab
The SQL tab displays the SQL query built to run the selected search. This information is only available once a
search has been created.
NOTE: The SQL tab is hidden by default. To display the SQL tab, use the Action | Show SQL Tab menu
command.
Open the application (e.g., Notepad) to which the content is to be pasted, right-click and select Paste.
77
XML tab
The XML tab displays the XML representation of the search criteria. This same information can be exported by
right-clicking a search in the Searches list on the Searches page and selecting the Export command.
NOTE: The XML tab is hidden by default. To display the XML tab, use the Action | Show XML Tab menu
command.
Open the application (e.g., Notepad) to which the content is to be pasted, right-click and select Paste.
78
8
Enable Alert Notifications
Introduction
Enable alerts
Disable alerts
Introduction
Change Auditor can generate alerts when certain kinds of configuration changes occur. These alerts appear in
the Change Auditor client and are then dispatched to designated recipients via email (SMTP), SNMP or WMI
events.
NOTE: You cannot enable alerting for search definitions that use the Runtime Prompt option.
NOTE: SMTP, SNMP and/or WMI must be configured to receive Change Auditor alerts BEFORE any alert
notifications will be sent.
Smart Alert Technology provides intelligent event correlation by notifying administrators when event patterns
cause potential security risks. Administrators can customize the Smart Alerts to match their security policies.
For example, if a privileged account is attempting to log on with a bad password at multiple machines within a
predetermined time period, a proactive alert can be generated.
This chapter provides a description of the Alert tab and instructions on how to enable and disable alert
notifications. It also provides a description of the Alert History page and instructions for viewing and deleting
the alert history. For a description of the other dialogs mentioned in this chapter, refer to the online help.
79
Description
Alert Enabled
Select the Alert Enabled check box to enable an alert for the current search
definition.
This option will became available only after one of the transport methods are
selected in the Send Alert To setting on this tab.
Select all of the transport options that are to be applied to this search definition:
SNMP - Select this option to dispatch Change Auditor alerts for this search
definition via SNMP traps.
WMI - Select this option to dispatch Change Auditor alerts for this search
definition via WMI (Windows
SMTP - Select this option to dispatch alerts for this search definition via
email. Selecting this option will display the Alert Custom Email dialog
allowing you to specify the email address of the person(s) who are to
receive the email notification.
By default, up to 50,000 events can be included in the alert history. Use the arrow
controls to increase or decrease this value to define the maximum number of
events to be included in the alert history.
NOTE: The History Search Limit setting is a global setting and changes made to
this setting will be applied to ALL alerts.
Configure Email
For SMTP alerts, click the Configure Email button to display the Alert Custom
Email dialog to change the details about the alert email to be sent, including the
To address, the Reply To address, and the Subject Line. In addition, from the Alert
Custom Email dialog you can access the Alert Body Configuration dialog to
configure the body of the email alert.
NOTE: If SMTP is not configured, a message box appears stating that the
Coordinator email configuration has not been configured. Open the Administration
Tasks tab and use the Coordinator Configuration page to enable email notification
and configure SMTP.
For SMTP alerts, a maximum of 100 events will be included in a single alert email
by default. Use the arrow controls to increase or decrease this value to define the
maximum number of events to be included in an email.
Time zone
For SMTP alerts, use this field to specify the time zone to be used for the alerts
date/time stamp in the notification emails. By default, the time zone of the
machine where the Change Auditor client resides will be used.
Select this check box to specify under what conditions an alert is to be sent. This
feature is only available for SMTP and SNMP notifications.
Select this check box to specify that the event must occur for the same object the
specified number of times before the alert will be triggered. When this check box
is cleared (default), the event can occur on any object the specified number of
times to trigger the alert.
80
Enable alerts
Using the Searches page, you can enable/disable alert notifications for individual search definitions and
dispatch them via SMTP (email), SNMP or WMI.
NOTE: The right-click commands available for enabling/disabling alert notifications are available when
multiple search definitions are selected. However, you can only enable/disable alert notifications using
the Alert tab when a single search definition is selected.
Expand the Private or Shared folders in the explorer view to locate the search to which an alert is to be
associated. Select the search from the Search list in the right-hand pane.
Right-click the search and select the Alert | Enable Transport | SMTP command.
Open the Alert tab and select the SMTP check box and then the Alert Enabled check box. (If the
Search Properties tabs are not being displayed, right-click the search definition and select Show
Properties).
NOTE: If SMTP is not configured, a message box will display stating that the coordinator email
configuration has not been configured. Open the Administration Tasks tab and use the Coordinator
Configuration page to configure SMTP.
Using either of these methods displays the Alert Custom Email dialog allowing you to enter the email
address of the person(s) who are to receive the alert notification.
The Select Active Directory Objects dialog (directory object picker) where you can use the
Browse or Search page to locate Active Directory user(s). This dialog is displayed when no
Exchange host is specified in the SMTP Configuration pane of the Coordinator Configuration page.
The Search Users dialog allowing you to locate and select an Exchange user (Exchange tab) or an
Active Directory user (Active Directory tab). This dialog is displayed when an Exchange host is
defined in the SMTP Configuration pane of the Coordinator Configuration page.
81
NOTE: You can enter an individual email address or distribution list address in the To, Cc or Bcc
fields. You can also send the alert notification to additional recipients by selecting the appropriate
check box, as described below:
Add Who - Select this check box to send an alert to the user who initiated the change that
triggered the alert.
Add Owner(s) - Select this check box to send an alert to the Exchange Mailbox owner whose
mailbox was accessed by another user and their action triggered an alert. (This feature only
applies to Exchange Mailbox Monitoring, which is available in Change Auditor for Exchange.)
Add Managed By - For events associated with groups that are being managed by another
account, select this check box to send an alert to the managing users email.
Once a check box is selected, select the corresponding option to add it to the To, Cc or Bcc field.
By default, the values entered on the SMTP Configuration pane of the Coordinator Configuration page
will be used for the following fields/settings:
Reply To address
Subject line
If you do not want to use these default settings for the current search query, you can modify them on the
Alert Custom Email dialog. To modify the body of the email alert, click the Configure Body button.
Once you have finished specifying the recipient email addresses, click OK to save your selections and
close the dialog.
5
In addition, you can change the following alert configuration settings using the Alert tab (Search
Properties tabs):
By default, up to 50,000 events will be included in the alert history. Use the History Search Limit
setting to change this value. (This setting is a global setting and changes made to this setting will
be applied to ALL alerts.)
By default, a maximum of 100 events will be included in a single alert email. Use the Events Per
Email setting to change this number.
By default the time zone of the machine where the Change Auditor client resides will be used for
an alerts date/time stamps in the email. To change the time zone to be used for these date/time
stamps, select the time zone from the drop-down list.
If you want to specify under what conditions an alert is to be sent, select the Smart Alert
Enabled check box and specify the number of events that must occur within a specified time
interval before generating/dispatching the alert.
By default, a smart alert is generated when the event occurs on any object the specified number
of times. You can however, select the On a Single Object option to have the smart alert triggered
when the event occurs on the same object the specified number of times.
NOTE: If using the Alert tab, be sure to click the Save button to save the alert definition.
When an alert is enabled, the following indicators are added to the Searches list:
Type - the icon for the search (magnifying glass) changes to a check mark and the label changes
from Search to Alert (e.g., Shared Alert)
Alert To - displays the email address of any users who are to receive the alert email
Alert Cc - if specified, displays the email address of any users who are to receive a copy of the
alert email
Dell Change Auditor 6.7
User Guide
82
Alert Bcc - if specified, displays the email address of any users who are to receive a blind copy of
the alert email
Expand the Private and Shared folders in the explorer view to locate the search to which an alert is to
be associated. Select the search from the Search list in the right-hand pane.
Right-click the search and select the Alert | Enable Transport | SNMP command.
Open the Alert tab at the bottom of the page, select the SNMP check box, then the Alert Enabled
check box. (If the Search Properties tabs are not being displayed, right-click the alert definition
and select the Show Properties menu command).
In addition, you can change the following alert configuration settings using the Alert tab (Search
Properties tabs):
By default, up to 50,000 events will be included in the alert history. Use the History Search Limit
setting to change this value. (This setting is a global setting and changes made to this setting will
be applied to ALL alerts.)
If you want to specify under what conditions an alert is to be sent, select the Smart Alert
Enabled check box and specify the number of events that must occur within a specified time
interval before generating/dispatching the alert.
By default, a smart alert is generated when the event occurs on any object the specified number
of times. You can however, select the On a Single Object option to have the smart alert triggered
when the event occurs on the same object the specified number of times.
NOTE: If using the Alert tab, be sure to click the Save button to save the alert definition.
When an alert is enabled, the following indicators are added to the Searches list:
Type - the icon for the search (magnifying glass) changes to a check mark and the label changes
from Search to Alert (e.g., Shared Alert)
Expand the Private and Shared folders in the explorer view to locate the search to which an alert is to
be associated. Select the search from the Search list in the right-hand pane.
Right-click the search and select the Alert | Enable Transport | WMI command.
On the Alert tab, select the WMI check box and then the Alert Enabled check box. (If the Search
Properties tabs are not being displayed, right-click the alert definition and select the Show
Properties menu command).
In addition, you can change the following alert configuration setting using the Alert tab (Search
Properties tabs):
By default, up to 50,000 events will be included in the alert history. Use the History Search Limit
setting to change this value. (This setting is a global setting and changes made to this setting will
be applied to ALL alerts.)
Dell Change Auditor 6.7
User Guide
83
NOTE: If using the Alert tab, be sure to click the Save button to save the alert definition.
When an alert is enabled, the following indicators are added to the Searches list:
Type - the icon for the search (magnifying glass) changes to a check mark and the label changes
from Search to Alert (e.g., Shared Alert)
Disable alerts
NOTE: The right-click commands available for enabling/disabling alert notifications are available when
multiple search definitions are selected. However, you can only enable/disable alert notifications using
the Alert tab when a single search definition is selected.
To disable alerts:
1
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be
disabled. Select the alert from the Search list box in the right-hand pane.
Right-click the alert and select the Alert | Disable Alert command. A message box will be
displayed asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the Alert Enabled check box. (If the Search Properties tabs are not
being displayed, right-click the alert definition and select the Show Properties menu command.)
NOTE: If using the Alert tab, click the Save button to apply the change.
In addition to disabling an alert, you can also disable the alerting transports for an alert-enabled search.
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be
disabled. Select the alert from the Search list in the right-hand pane.
Right-click the alert and select Alert | Disable Transport | SMTP. A message box will be
displayed asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the SMTP check box and the Alert Enabled check box. (If the Search
Properties tabs are not being displayed, right-click the alert definition and select the Show
Properties menu command.)
NOTE: If using the Alert tab, click the Save button to apply the change.
If this is the only transport or when all transports are disabled, the definition returns to a Search type.
84
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be
disabled. Select the alert from the Search list in the right-hand pane.
Right-click the alert and select Alert | Disable Transport | SNMP. A message box will be
displayed asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the SNMP check box and the Alert Enabled check box. (If the Search
Properties tabs are not being displayed, right-click the alert definition and select the Show
Properties menu command.)
NOTE: If using the Alert tab, click the Save button to apply the change.
If this is the only transport or when all transports are disabled, the definition returns to a Search type.
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be
disabled. Select the alert from the Search list in the right-hand pane.
Right-click the alert and select Alert | Disable Transport | WMI. A message box will be displayed
asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the WMI check box and the Alert Enabled check box. (If the Search
Properties tabs are not being displayed, right-click the alert definition and select the Show
Properties menu command.)
NOTE: If using the Alert tab, click the Save button to apply the change.
If this is the only transport or when all transports are disabled, the definition returns to a Search type.
Description
Time Alerted
Alert Type
Sent
Description
Error Message
85
On the Searches page, select an alert-enabled search definition, right-click, expand the Alert command
and select the History option.
This will open a new Alert History page, which displays details regarding the alerts triggered for the
selected search.
On the Searches page, select an alert-enabled search, right-click, expand the Alert command and select
the Delete History option.
Selecting this command will clear the alert history for the selected alert.
NOTE: Change Auditor deletes alerts in batches of 1000, so the alert history will not be
immediately cleared; however, refreshing the screen will show the number of alerts decreasing.
Open an Alert History page and select an alert from the grid.
If neither the Alert tab or Event Details pane are being displayed (or the Alert tab is displayed), use one
of the following methods to display the event details:
Open an Alert History page and select an alert from the grid.
If neither the Alert tab or Event Details pane are being displayed (or the Event Details pane is displayed),
use one of the following methods to display the search properties:
86
9
Administration Tasks
Any - does not require a specific license; available with any license
87
For more detailed information on how to perform an administrative task or a description of the page that is
displayed, refer to the appropriate chapter in the different Change Auditor user guides.
Table 15. Administration Task tab: Task descriptions
Task List/Task
Description
License
Configuration
The following tasks are available in the Configuration task list:
Agent
Any
Coordinator
Define and schedule purge jobs for deleting events from the
production database.
Any
Any
Any
Directory
Any
88
Description
License
Excluded Accounts
Any
Create Excluded Accounts templates to define individual
accounts that are to be excluded from Change Auditor auditing.
For more information, see Account Exclusion.
Forest
Use the tasks under this heading to define custom auditing definitions for your Active Directory forest.
Active Directory
CAAD
For more information, see the Dell Change Auditor For Active
Directory User Guide.
Attributes
CAAD
For more information, see the Dell Change Auditor for Active
Directory User Guide.
Member of Group
Excluded AD Query
CAAD-Q
For more information, see the Dell Change Auditor for Active
Directory Queries User Guide.
ADAM (AD LDS)
CAAD
For more information, see the Dell Change Auditor for Active
Directory User Guide.
Attributes
CAAD
For more information, see the Dell Change Auditor for Active
Directory User Guide.
Applications
Use the tasks under this heading to define auditing for different types of applications within your
environment.
Exchange Mailbox
CAEX
SQL
SQL Server
SQL Data Level
CASQL
VMware
Any
89
Description
License
Create SharePoint
farm to be audited and the Change Auditor agent to be used to
audit this farm.
For more information, see the Dell Change Auditor for
SharePoint User Guide.
Server
Use the tasks under this heading to create auditing templates that can then be assigned to agent
configurations to enable custom server-level auditing.
File System
Registry
Any
NAS
Use the tasks under this heading to create auditing templates for NAS devices.
EMC
CAEMC
For more information, see the Dell Change Auditor for EMC
User Guide.
NetApp
CANA
CASW
CASW
90
Description
License
Protection
The Protection task list is divided into separate task lists as well: one for forest-level tasks that are globally
applied, one for tasks that define protection for applications, and another for server-level tasks that must be
assigned to an agent configuration.
Note: To use Active Directory Protection templates, you must be logged in to Change Auditor with an account
with Enterprise Admin privileges.
Forest
Use the tasks under this heading to define global protection definitions for your Active Directory forest.
Active Directory
CAAD
For more information, see the Dell Change Auditor for Active
Directory User Guide.
ADAM (AD LDS)
CAAD
For more information, see the Dell Change Auditor for Active
Directory User Guide.
Group Policy
CAAD
For more information, see the Dell Change Auditor for Active
Directory User Guide.
Applications
Use the task under this heading to define global protection for your Exchange Mailbox application.
Exchange Mailbox
Server
Use the task under this heading to create protection templates that can then be assigned to agent
configurations to enable server-level protection.
File System
CAFS
91
On the Export dialog, select the configuration, auditing and protection settings to be exported:
Table 16. Export dialog settings
Configuration
NOTE: By default, all settings except for the Coordinator Configuration and Application User Interface
settings are selected for export. When imported, these configuration settings overwrite any existing
settings that may be present.
Agent
Coordinator
Report Layouts
Purge Jobs
Auditing
Audit Events
Excluded Accounts
Active Directory
Exchange Online
Exchange Mailbox
92
VMware
SharePoint
File System
auditing templates.
auditing
Registry
Services
EMC
NetApp
SonicWALL
auditing templates.
auditing templates.
Protection
Active Directory
Group Policy
93
File System
On the Save Configuration dialog, select the location where the XML file is to be saved. By default, the
name of the file is Change Auditor Configuration; however, you can change this in the File name field.
Click Save.
NOTE: A similar dialog appears when you use the Action | Import menu command. From this dialog, you
can then select the configuration, auditing and protection settings to be imported.
94
10
Agent Configurations
Introduction
Introduction
Change Auditor assigns the default configuration to each agent, including both server agents and workstation
agents, during deployment. This default configuration consists of the following settings:
System Settings:
AD Query settings:
Exchange settings:
95
VMware settings:
SonicWALL settings:
You can define and assign different agent configurations to each deployed server agent from the Agent
Configuration page on the Administration Tasks tab. However, workstation agents always use the default
configuration; they cannot be assigned to a different agent configuration. Also, when the default configuration
is modified, workstation agents will only receive these modifications when the polling interval determines there
has been a change; clicking the Refresh Configuration button on the Agent Configuration page only pushes
agent configuration changes out to server agents.
In order to enable various custom auditing and protection features, you are required to assign templates to an
agents configuration. The custom auditing and protection features that require custom templates to be
assigned to an agents configuration are:
Registry Auditing
Service Auditing
SQL Auditing
NOTE: The NetApp , EMC , SharePoint , VMware and Exchange Online Auditing templates define
which Change Auditor agent(s) are used to capture events; however, these templates do not use the agent
configurations from the Agent Configuration page as described in this chapter. See the Dell Change
Auditor for NetApp User Guide, Dell Change Auditor for EMC User Guide, Dell Change Auditor for
SharePoint User Guide, Dell Change Auditor for Exchange User Guide, or VMware Auditing chapter in
this document for more information.
This chapter describes the Agent Configuration page and how to perform the tasks associated with defining and
assigning configurations to Change Auditor agents. For a description of the other dialogs mentioned, refer to the
online help. For more information on Registry Auditing, Service Auditing and Account Exclusion refer to the
appropriate sections in this document. For more information on File System Auditing and File System
Protection, see the Dell Change Auditor for Windows File Servers User Guide. For more information on SQL
Auditing, see the Dell Change Auditor for SQL Server User Guide. For more information on SonicWALL
auditing, see the Dell Change Auditor for SonicWALL User Guide.
Dell Change Auditor 6.7
User Guide
96
NOTE: All dates and times are based on the clients current local date and time. The format used to
display the date and time is determined by the local machines regional and language setting.
Default
Active Directory
No
Description
No
Indicates whether ADAM (AD LDS) auditing and/or protection has been
defined.
Agent
Yes
Displays the NetBIOS name of the server that hosts the Change Auditor
agent.
Agent FQDN
No
Displays the fully qualified domain name (FQDN), consisting of the host
and domain name including the top-level domain, of an agent.
Configuration
Yes
Coordinator
No
DB Size
No
Domain
Yes
EMC
Yes
No
auditing
Displays the number of events encountered on the agent during the past
24 hours from when the Agent Configuration page is initially opened
during the current client session or when the page is refreshed using the
Refresh button.
The value in this field is a hypertext link and when selected launches a
quick search to display the events generated in the last 24 hours.
No
Events Today
No
97
Default
Description
Events Total
No
Displays the number of events encountered since the agent was started.
The value in this field is a hypertext link and when selected launches a
quick search to display all events encountered since the agent was
started.
Events Yesterday
No
Exchange
No
Exchange Online
Yes
Exchange Server
No
Exclude Account
Yes
File System
Yes
Forest
No
Group Policy
No
Last Update
No
Displays the date and time when the agent configuration was last
updated.
NetApp
Yes
Registry
Yes
Service
Yes
SharePoint
Yes
SonicWALL
Yes
SQL
Yes
Yes
Indicates whether a SQL Data Level Auditing template has been assigned
to an agents configuration.
Startup Time
No
Displays the date and time when the agent was last initialized.
Status
No
Type
Unsent Events
No
No
Auditing
active
inactive
uninstalled
Domain Controller
Global Catalog
Server
Displays the number of events that have not yet been sent to the
coordinator.
Dell Change Auditor 6.7
User Guide
98
Default
Description
Uptime
No
Version
No
VMware
Yes
Auditing
Click the Configuration task button at the bottom of the navigation pane (left pane).
Select Agent in the Configuration task list to display the Agent Configuration page.
From the Agent Configuration page, click the Configurations tool bar button.
The Configuration Setup dialog appears, which contains a list of configuration definitions available as
well as the means for creating a new configuration.
From this dialog, click the Add button to create a new definition or click the Copy button to duplicate
the configuration selected in the Configurations list box.
This will add a new configuration to the list, allowing you to name the new configuration, specify the
system settings and assign auditing and protection templates to the configuration.
With the new/copied configuration highlighted in the Configuration list, enter the name for your new
agent configuration.
Use the tabbed pages at the top of the dialog to modify the system settings, file system settings, AD
Default:
Valid range:
900 seconds
60 - 9999 seconds
System Settings
Polling Interval
99
Default:
Valid range:
Forwarding Interval
5 seconds
5 - 999 seconds
Retry Interval
300 seconds
60 - 600 seconds
1500 events
10000 events
Sunday - Saturday
12:00 am - 11:59 pm
N/A
File System
The settings on the File System tab only apply when Change Auditor for Windows File Servers, Change
Auditor for EMC or Change Auditor for NetApp is licensed.
Discard duplicates that occur within nn
seconds
Enabled by default
Disabled by default
1 - 600 seconds
10 seconds
N/A
AD Query
The settings on the AD Query tab only apply when Change Auditor for Active Directory Queries is
licensed.
Discard query results less than nn
records
0 records
0 - 99999 records
20 milliseconds
0 - 99999 milliseconds
15 minutes
1 - 1440 minutes
Enabled by default
N/A
Exchange
The setting on the Exchange tab only applies when Change Auditor for Exchange is licensed.
NOTE: These settings only apply to the Exchange subsystem events; they do not apply to the Exchange
Online subsystem events.
Discard duplicates that occur within nn
seconds
0 seconds
0 - 600 seconds
60 seconds
60 - 9999 seconds
VMware
Polling Interval
SonicWALL
The settings on the SonicWALL tab only apply when Change Auditor for SonicWALL is licensed.
AppFlow Collector Port
2055
1024 - 65535
Processing Interval
1 second
1 - 60 seconds
10 seconds
1 - 60 seconds
10 minutes
1 - 60 minutes
Purge Interval
60 seconds
10 - 600 seconds
60 seconds
10 - 600 seconds
To add an auditing or protection template to the selected configuration, use the Auditing and Protection
Templates pane. This pane displays the auditing and protection templates previously defined.
Use one of the following methods to assign a template to an agent configuration:
Select a template and drag and drop it onto a configuration in the Configuration list.
100
Select a configuration from the Configuration list and drag and drop it onto a template in the
Auditing and Protection Templates pane.
Select a configuration, then select a template, click in the corresponding Assigned cell and click
Yes.
If the templates list is empty or you want to define a new template, click the Edit Templates button.
On the Auditing and Protection Templates dialog, select the tab for the type of template to be
added (e.g., Excluded Accounts) and click the Add Template button.
The associated wizard will be displayed allowing you to define the auditing or protection to be
applied. Refer to the appropriate chapters in this guide for details on completing each of these
wizards.
10 Once you have defined the new template, click OK to close this dialog and return to the Configuration
Setup dialog. Select this new template, right-click and select Assign.
11 Once you have named the configuration, selected the system settings and added auditing or protection
templates, click the OK button to save your configuration and return to the Agent Configuration page.
On the Agent Configuration page, select one or more agents from the agent list and click the Assign tool
bar button or right-click command.
On the Agent Assignment dialog, select the configuration definition to be assigned to the selected agents
and click the OK button.
On the Agent Configuration page, the agent configuration assignment will be updated in the
Configuration column.
Select the agent(s) assigned to the agent configuration and click the Refresh Configuration tool bar
button or right-click command. This will ensure that the assigned agent(s) are using the latest agent
configuration.
On the Agent Configuration page, click the Default All tool bar button.
A message will be displayed confirming that you want to reset ALL agent configurations back to the
factory default settings. Click Yes.
Select the agent(s) assigned to the agent configuration and click the Refresh Configuration tool bar
button or right-click command. This will ensure that the assigned agent(s) are using the latest agent
configuration.
101
event log. These event logs can then be collected using Dell InTrust to satisfy
NOTE: This is a global setting and applies to all Change Auditor agents. However, keep the following in
mind when defining custom auditing:
Excluding accounts from auditing does NOT impact event logging with the exception of Exchange.
That is, if an Exchange Mailbox account is set to exclude ALL mailbox events, then these events
will also be excluded from the event log.
For Registry events, event logging is disabled by default. When enabled, only configured activities
are sent to the event log.
For Service events, event logging is disabled by default. When enabled, only configured activities
are sent to the event log.
For Active Directory events, event logging is disabled by default. When enabled, all Active
Directory activity is sent to the event log.
For ADAM (AD LDS) events, event logging is disabled by default. When enabled, all ADAM activity is
sent to the event log.
For File System events, event logging is disabled by default. When enabled, only configured
activities are sent to the event log.
For Exchange mailbox events, event logging is disabled by default. When enabled, only configured
Exchange Mailbox activities are sent to the event log. Exchange Online events are NOT logged to
this event log.
For SQL Server events, event logging is disabled by default. When enabled, only configured
activities are sent to the event log.
For SQL Data Level events, event logging is disabled by default. When enabled, only configured
activities are sent to the event log.
For AD Query events, event logging is disabled by default. When enabled, all Active Directory
queries, except those specified in the Excluded AD Query list are sent to the event log. When
enabling AD Query event logging, keep in mind that AD Query events could be of very high volume.
For EMC events, event logging is disabled by default. When enabled, only configured activities
are sent to the event log.
For NetApp events, event logging is disabled by default. When enabled, only configured activities
are sent to the event log.
For SharePoint events, event logging is disabled by default. When enabled, only configured
activities are sent to the event log.
For Lync events, event logging is disabled by default. When enabled, all Lync events are sent to
the event log.
For SonicWALL events, event logging is disabled by default. When enabled, only configured web
site/cloud storage site activities are sent to the event log.
102
From the left-hand pane, select Agent (under the Configuration task list) to display the Agent
Configuration page.
On the Event Logging dialog, select the type of event logging to be enabled:
Active Directory
Exchange
File System
SQL
EMC
AD Query
SonicWALL
Registry
Service
Local Account
Change Auditor
NetApp
SharePoint
Lync
NOTE: If an option is disabled, this indicates that you do not have the corresponding component
licensed. For example, if the SharePoint check box is disabled, you do not have a Change Auditor
for SharePoint license.
103
11
11
Coordinator Configuration
SMTP Configuration pane - for enabling and configuring SMTP for email alerting and reporting
Group Membership Expansion pane - for defining the schedule for expanding nested membership of
Active Directory groups that are referenced in searches (Who search criteria) or groups that are
defined in the Member of Group auditing feature
Agent Heartbeat Check pane - for specifying how long the coordinator service is to wait before an agent
that is not sending updates will be marked as inactive
This chapter provides a description of the panes listed above and instructions on how to use these panes to
configure email alerting and group membership expansion. For a description of the other dialogs mentioned in
this chapter, refer to the online help.
104
Configure email alerting and reporting by specifying the following information in the SMTP Configuration pane:
Table 19. Coordinator Configuration page: SMTP Configuration pane field/control descriptions
Field/Control
Description
Select this check box to enable email alert notifications and reporting. Checking
this option will activate the remaining fields on this page to define the mail server
to be used.
NOTE: The settings set on this page are global settings and will apply to all
alert/report emails. For alerts you can override the reply to, alert subject,
signature and body content for individual search queries using the settings on the
Alert tab (Search Properties tabs). For reports, you can override the To and Reply
addresses, specify carbon copy (Cc and Bcc) recipients, and modify the subject line
for individual search queries using the Report tab (Search Properties tabs).
Mail Server
When SMTP is enabled for alerts and reporting, enter the name or IP address of the
mail server in this text box.
NOTE: Change Auditor sends alerts/reports through a single SMTP (email) relay
configuration even when multiple coordinators are configured. That is, all
coordinators will use the same mail server for sending alert notifications and
reports.
From Server
Enter the email address from which alert notifications and reports are to originate.
Instead of entering an email address, you can use the browse button to the far right
of the From Address field to select the user whose email address is to be used for
alert notifications and email reports.
Clicking this button displays one of the following dialogs:
The Select Active Directory Objects dialog (Directory object picker) allows
you to locate and select an Active Directory user. Use the Browse or Search
page to locate and select an Active Directory
user.
The Select Exchange Users dialog allows you to search for and select a mailenabled object from the Exchange Global Access List (GAL). On the
Exchange tab, enter a name or partial name, at least three characters long,
and click the Search button to lookup mail-enabled objects in the GAL. On
the Active Directory tab, use the Browse or Search page to locate and select
an Active Directory user.
This dialog is displayed when an Exchange host is defined in the SMTP Configuration
pane of the Coordinator Configuration page.
Reply To
105
Table 19. Coordinator Configuration page: SMTP Configuration pane field/control descriptions
Field/Control
Description
Instead of entering an email address, you can use the browse button to the far right
of the Reply To field to select the user whose email address is to be used for alert
notifications and email reports.
Clicking this button displays one of the following dialogs:
The Select Active Directory Objects dialog (Directory object picker) allows
you to locate and select an Active Directory user. Use the Browse or Search
page to locate and select an Active Directory user.
This dialog is displayed when no Exchange host is specified in the SMTP
Configuration pane of the Coordinator Configuration page.
The Select Exchange Users dialog allows you to search for and select a mailenabled object from the Exchange Global Access List (GAL). On the
Exchange tab, enter a name or partial name, at least three characters long,
and click the Search button to lookup mail-enabled objects in the GAL. On
the Active Directory tab, use the Browse or Search page to locate and select
an Active Directory user.
This dialog is displayed when an Exchange host is defined in the SMTP Configuration
pane of the Coordinator Configuration page.
Alert Subject
Enter a customized subject line to replace the default text in the subject line for
alert notifications. The default subject line contains the following information:
Change Auditor %Alert_Type% from %Alert_Coordinator_Name%: %Alert_Name%
Where:
%Alert_Type% is either Alert or Smart Alert
%Alert_Coordinator_Name% is the name of the coordinator generating the
alert
%Alert_Name% is the name of the alert that fired
NOTE: The Alert Subject does not apply to email reports.
Click the browse button to the far right of the Subject Line field to select the
variable(s) to be inserted into the subject line or to reset it back to the default
content.
Expand the Insert Variable option to insert one or more of the following variables
into the subject line:
ALERT_NAME
ALERT_TIME_SENT
ALERT_TYPE
ALERT_COORDINATOR_DOMAIN
ALERT_COORDINATOR_NAME
SMART_ALERT
SMART_ALERT_GROUPING
SMART_ALERT_OCCURRENCE
SMART_ALERT_PERIOD
SMART_ALERT_PERIOD_UNIT
BATCH_ID
EVENT_COUNT
Select the Restore To Default option to reset the subject line back to the default
content. That is, remove any variables that were inserted.
Send Plain Text Email
Select this option to have the email notification sent in plain text format. (Default)
Select this option to have the email notification sent in HTML format.
106
Table 19. Coordinator Configuration page: SMTP Configuration pane field/control descriptions
Field/Control
Description
Configure Body
Click this button to launch the Alert Body Configuration dialog where you can
define the content of the main body, the event details and the signature to be
included in your alert emails.
My Server Requires
Authentication
Select this check box if the specified mail server requires authentication and enter
the account information as described below.
Account Name
Enter the account name required to authenticate to the specified mail server.
Instead of entering the account name, you can use the browse button to the far
right of the Account Name field to select the account to be used. Clicking this
button displays the Select Active Directory Object dialog (Directory object picker).
Use the Browse or Search pages to locate the user account to be used to
authenticate to the mail server.
Password
Enter the password associated with the account name entered above.
NOTE: Blank passwords are NOT allowed.
Enable SSL
Select this check box to enable Secure Socket Layer (SSL) encryption protocol to
create a secure connection for transmitting data from the mail server.
Exchange Host
(Optional) Entering the Exchange host information allows you to lookup email
recipients from the Exchange GAL in addition to Active Directory. That is, when you
click a browse button on the SMTP Configuration pane, Alert Custom Email dialog or
Report tab to lookup an email recipient, the Select Exchange Users dialog appears
which contains both an Exchange tab and an Active Directory tab.
Enter the internet host name of the Exchange mail server.
Use the field to the right of the Exchange Host field to select the Exchange version
associated with the specified Exchange host.
My Host Requires
Authentication
Select this check box if the specified Exchange host requires authentication and
enter the account information as described below.
Account Name
Enter the user account name used to log into your email account.
Instead of entering the user name, you can use the browse button to the far right of
the Account Name field to select the account to be used. Clicking this button
displays the Select Active Directory Object dialog (Directory object picker). Use the
Browse or Search pages to locate the user account to be used to authenticate to the
Exchange host.
Password
Enter the password associated with the account name entered above.
NOTE: Blank passwords are NOT allowed.
107
NOTE: Change Auditor sends alerts through a single SMTP (email) relay even when multiple coordinators
are configured. That is, all coordinators will use the same mail server for sending alert notifications and
reports.
Click the Configuration task button at the bottom of the navigation pane (left pane).
Select Coordinator in the Configuration task list to open the Coordinator Configuration page.
On the SMTP Configuration pane, select the Enable SMTP for Alerts and Reporting option to enable
email alert notifications and reporting. Checking this option will activate the remaining fields on this
page to define the mail server to be used.
Enter the following information:
Mail Server
From Address
NOTE: Use the browse button to the right of the From Address field to launch the Select
Active Directory Object dialog (Directory object picker) or Select Exchange User dialog.
From the Select Active Directory Object dialog, use the Browse or Search page to locate and
select a user.
If the Exchange Host information is entered at the bottom of the SMTP Configuration pane,
the Select Exchange Users dialog appears. On the Exchange tab, enter a name or partial
name, at least three characters long, in the Find field and click Search to lookup and select
an Exchange user. On the Active Directory tab, use the Browse or Search page to locate and
select an Active Directory
user.
Reply To
NOTE: Use the button to the right of the Reply To field to launch the Select Active
Directory Object dialog (Directory object picker) or Select Exchange User dialog.
From the Select Active Directory Object dialog, use the Browse or Search page to locate and
select a user.
If the Exchange Host information is entered at the bottom of the SMTP Configuration pane,
the Select Exchange Users dialog appears. On the Exchange tab, enter a string at least three
characters long in the Find field and click Search to lookup and select an Exchange user. On
the Active Directory tab, use the Browse or Search page to locate and select an Active
Directory user.
Alert Subject
NOTE: Use the button to the right of the Alert Subject field to insert a variable into the
subject line or to reset it back to the default content.
Select the appropriate option to have the email notification/report sent in plain text format (default) or
HTML format.
Optionally, click the Configure Body button to launch the Alert Body Configuration dialog where you can
define the content of the main body, the event details and the signature to be included in your alert
emails. After configuring the alert body, click OK to return to the Coordinator Configuration page.
NOTE: The Alert Body Configuration settings do not apply to email reports. To define the content
(columns) to be included in a report, use the Layout tab. In addition, you can use the Report
Layouts page (Administration Tasks tab) to create customized report layout template(s) defining
the header and footer information to be used in your reports.
108
If the specified mail server requires authentication, select the My Server Requires Authentication
check box and enter the account credentials to be used.
NOTE: Use the button to the right of the Account Name field to launch the Select Active Directory
Object dialog (Directory object picker). From this dialog, use the Browse or Search page to locate
and select a user.
Exchange Host: Enter the internet host name of your Exchange mail server. Use the field to the
far right of the Exchange Host field to specify the Exchange version for your Exchange host.
My Host Requires Authentication: Select this check box if the Exchange host requires
authentication and enter the Account Name and Password used to log into your email account.
NOTE: Use the button to the right of the Account Name field to launch the Select Active
Directory Object dialog (Directory object picker). From this dialog, use the Browse or
Search page to locate and select a user.
Configuring the Exchange host allows you to lookup email recipients using the Exchange GAL or Active
Directory. That is, when you select a browse button to lookup an email recipient from the top part of the
SMTP Configuration pane, Alert Custom Email dialog or Report tab the Select Exchange User dialog
appears which contains an Exchange tab where you can enter a partial name to lookup users from the
Exchange GAL.
9
Click the Test SMTP tool bar button to test the mail server configuration.
10 Once the mail server configuration is verified, click the Apply Changes tool bar button to save the
configuration.
11 Now that SMTP alerting/reporting is enabled and configured, you can enable email alert notifications for
individual search definitions using the Alert tab (Search Properties tabs) and/or reporting for individual
search definitions using the Report tab (Search Properties tabs).
Click the Configure Body button to display the Alert Body Configuration dialog.
On the Alert Body Configuration dialog, select the appropriate option (at the bottom of the dialog) to
edit either the Plain Text (default) or the HTML representation of the alert emails.
Use the Main Body tab to enter the text to be included and define the overall layout of the alert body.
Select the Show Variables check box to display the variables that can be added to the main body
of your email.
109
To add a variable, double-click the variable from the Variable list at the bottom of the page. You
can also drag and drop a variable from the Variable list into the main body text box.
NOTE: The event details defined in the Event Details tab are placed in the Main Body pane using
the following tag: %EVENT_DETAILS%. This tag should NOT be removed from the Main Body tab if
you want to include the event details in the alert emails.
Use the Event Details tab to specify the event details to be included. That is, you can rearrange the
entries, remove entries, or modify text, etc.
Select the Show Variables check box to display a list of the variable that can be added to the
event details of your alert email.
To add a variable, double-click the variable from the Variable list at the bottom of the page. You
can also drag and drop a variable from the Variable list into the Event Details text box.
NOTE: Do NOT modify the blue text surrounded by percent signs (e.g., %USERNAME%). These are
tags which represent actual data retrieved from the Change Auditor event that triggered the alert.
See Change Auditor Email Tags for more information on these tags and the data retrieved by each.
Use the Signature tab to define the content of the signature line to be used in alert emails.
After you have entered the body content and defined the event details and signature line to be included,
select the Preview tab to view a sample email using your defined format and content.
Once defined, click the OK button to save your settings and close the Alert Body Configuration dialog.
NOTE: Click the Restore to Default button to revert back to the default email content and format.
for expanding nested membership of Active Directory groups that are referenced in searches (Who search
criteria) or groups that are defined in the Member of Group feature. Group membership will be recursively
enumerated in order to determine nested group membership.
110
Description
Select one of the following options to define how you want to expand
groups:
Expand all groups - This expands all groups in the forest. Use this
only if you are using SSIS and need the freedom to make requests for
any group in the forest.
Group Membership Expansion list The Group Membership Expansion list box is only available when the
Expand groups that are referenced in existing queries and selected
groups option is selected and displays a list of the groups to be expanded.
Use the Add button to add groups to this list box and use the Remove
button to remove groups from the list box.
Add
Use the Add button to add groups to the group membership expansion list.
Clicking this button will display the Select Active Directory Objects dialog
allowing you to locate and select the groups to be added.
See Directory object picker for a description of the Browse, Search and
Options pages. Note that the Find field on this dialog will display Group
and cannot be changed.
Remove
Use the Remove button to remove the selected group from the group
membership expansion list.
By default, group membership will be refreshed every 360 minutes. Use the
arrow controls to increase or decrease this value.
Valid range: 10 - 43200
Defaults
Use the Defaults button to reset the fresh frequency settings back to the
factory defaults.
111
Click the Add button to display the Select Active Directory Objects dialog.
Use either the Browse page or Search page to locate and select a group to be added to this list. Once a
group is selected, click the Add button on this dialog to add it to the selection list at the bottom of the
dialog.
Repeat this step to add each additional group.
Once you have selected all the groups to be added, click the Select button to save your selection.
The specified groups will now be listed in the Group Membership Expansion list on the Coordinator
Configuration page.
On the Coordinator Configuration page, click the Apply Changes tool bar button to apply your changes
regarding group membership expansion.
Description
Select this check box if you want to have the coordinator service try
to restart an agent service before it marks it as inactive.
112
12
Purging and Archiving your Change
Auditor Database
Introduction
113
Introduction
Change Auditor provides several options that allow you to schedule both the purging of events from your
database and archiving older data to an archive database. Automating database cleanup allows you to keep
critical and relevant data online and current while eliminating or archiving events that are no longer required.
This not only prevents your database from growing in size, but it increases overall operational efficiency by
speeding up searches and data retrieval from the database.
Using the purge options, you can define and schedule jobs that will eliminate events from the database based
on the following criteria:
What - purge events based on subsystem, event class, object class, severity or results.
Using the archive options, you can select to create a yearly archive database for older events that are no longer
required to be represented in your reports.
Table 22. Available job types
Job type
Description
Purge
This deletes events from the production database. You can create and
run multiple purge jobs.
When scheduling a purge job, you can choose a batch limit. This limit
tells the job how many events to delete from the production database
before pausing and running another job. Choosing too large of a batch
limit may slow your purge jobs down. If you find that they are slow
reduce the batch limit.
Archive
This deletes events (purge job) from the production database, then
immediately performs an archive job to move the remaining records in
the time period specified for the job from the production database to an
archive database. You can only create and run one purge and archive
job or one archive job.
If you select a batch limit, it will only apply to the purging portion of the
job. When the batch limit is reached, the job will immediately run again
ensuring this job type runs to completion before the archive job begins.
114
Scheduling a job
When scheduling your jobs, consider the following:
Only one archive type job (archive only, purge/archive) can exist. However, multiple purge only jobs can
be scheduled.
Purge only jobs run until they hit the batch limit. When the batch limit is encountered the job pauses
(runs again later) to give another job a chance to run. Archive type jobs will not pause to give other jobs
the opportunity to run until they are complete.
If you have multiple coordinators, only one coordinator will run the job.
Use purge and archive job to ensure deletion of unwanted events completes before archiving begins.
The first time the job is executed it may be working with a large amount of data and therefore may take
a significant amount of time to run.
It is recommended to run jobs frequently so that they are working with less data and complete faster.
Start with one job to see how long it takes to complete, then add more jobs as needed.
If an archiving job is created to archive large amounts of data over multiple calendar years, it may take
a significant amount of time to finish. If you have multiple calendar years of data to archive, select to
archive the oldest calendar year first. When the first archive job finishes, update the job settings to
archive the next calendar year and so on until all the data has been archived.
Enable notification on the purge and archive internal events to monitor job performance.
When multiple jobs types are scheduled to run close together the following behavior will occur:
A list of jobs is created and ordered by next run time. If two jobs have the same run time the archive
type will run first.
Because of this the purge jobs may not complete before the archive or purge and archive jobs
run if you do not plan properly.
Multiple Purge jobs will be executed based on the next run time order.
The purge job type runs until the batch limit is reached (batch limit is the total number of events to
delete) and then pauses to give another purge job a chance to run.
During a job
During a purge and/or archive job, consider the following:
Monitor disk space on the SQL server while archiving is in progress. (No Shrink is performed)
The physical database size is not changed. (Shrink operation is not performed). Once the archive
database has been created, you should perform a database cleanup (shrink) on the production database
as required to free up disk space.
For information on how to perform a database shrink, see https://msdn.microsoft.com/enus/library/ms189035.aspx.
Archive databases for previous years can be detached and moved to a backup storage if needed.
Dell Change Auditor 6.7
User Guide
115
Description
Job Name
Displays the name assigned to the job when it was created using the Purge and
Archive wizard.
Last Run
Next Run
Displays the date and time the job is scheduled to run next.
NOTE: Based on the clients current local date and time. The format used to display
this date and time is determined by the local computers regional and language
setting.
Status
Schedule
You will also see information regarding the status of reach job including:
116
Select the data that you want to purge and/or archive. The default is to process events older than 90
days.
NOTE: Jobs created in previous versions will have the process time converted from
weeks/months/quarters/years to the appropriate number of days.
If required, select Purge and choose the records to be deleted from the production database.
All events: Select this option to purge all events from the database that are older than the specified
time.
Only selected events: Select this option to purge only selected events, based on specific criteria, from
the database that are older than the specified time.
Use the criteria tabs to define the events to be deleted:
Who - purge events generated by a specific user, computer or group.
What - purge events based on subsystem, event class, object class, severity or results.
Where - purge events captured by a specific agent, domain or site.
Origin - purge events originating from a specific workstation or server.
See Purge selected records for a description of the criteria options.
NOTE: If you specify criteria on more than one tab, the criteria specified on ALL of the tabs must
be met before an event is deleted from the database or archived.
Select Archive events if you want to create an archive database. A yearly archive database will be
created beginning on the first day of the selected month. For example, if you select Jan, the database
will contain events for 12 months beginning on January 1.
If you have also selected to purge events based on specific criteria, any events that remain will be
moved to the archive database.
NOTE: A new archive database will be created for each year of events that you have in your
production database.
NOTE: This option is not available, if there is an existing archive job.
Click Next.
Select the job scheduling options to define when the events are to be deleted or archived.
10 Click the Finish button to save the job and exit the wizard.
117
Click the Edit tool bar button to open the Purge and Archive wizard.
Click the Finish button to save your selections and exit the wizard.
To enable a previously disabled job, select the job from the Purge and Archive page and click the Enable
right-click command.
On the Purge and Archive page, select one or more jobs from the list.
When prompted, confirm that you want to delete the scheduled jobs.
Select the data that you want to purge and/or archive. The default is to process events older than 90
days.
NOTE: Jobs created in previous versions will have the process time converted from
weeks/months/quarters/years to the appropriate number of days.
118
Select whether you want to purge, archive, or both. If you have specific purge jobs that you want to
complete before a scheduled archive, ensure that you leave enough time between the purge only jobs
and the archive job.
Option
Notes
Purge events
If you select to purge events, specify the options that determine which events will be
removed from the database.
All events: Select this option to purge all events from the database that are older
than the specified time.
Only selected events: Select this option to purge only selected events, based on
specific criteria, from the database that are older than the specified time.
Use the criteria tabs to define the events to be deleted:
What - purge events based on subsystem, event class, object class, severity or
results.
If you specify criteria on more than one tab, the criteria specified on ALL of the tabs
must be met before an event is deleted from the database or archived.
See Purge selected records for a description of the criteria tabs and options that
appear to specify the records.
Archive events When this option is selected, a yearly archive database will be created beginning on
the first day of the selected month. For example, if you select Jan, the database will
contain events for 12 months beginning on January 1.If you have also selected to
purge events based on specific criteria, any events that remain will be moved to the
archive database.
NOTE: A new archive database will be created for each year of events that you have
in your production database.
On initial run of archive or purge/archive job, an archive database will be created on
the same database server as your production Change Auditor database. The name of
the archive database is as follows: Production database name appended with
_Archive_ and the year of your oldest event and a selected month. Example:
ChangeAuditor_Archive_2014 _August
The *.mdf file will have the same name except that the date will be appended to the
end. Example: ChangeAuditor_Archive_2014__August20150310163244.mdf
If the archive database is moved or deleted a new archive database with the same
name will be created (the *.mdf will differ because a new date is appended) the next
time an archive or purge/archive job runs.
NOTE: If an archive database is deleted or moved before the end of an archived year,
then a new one will be created and will only contain events that were not previously
archived to the deleted or moved database.
NOTE: This option is not available, if there is an existing archive job.
4
119
Option
Description
Occurs
Batch Limit
Every
When a Monthly schedule is selected, specifies on which day of the month the job
is to be run:
First (default)
Last
Day #
When a Weekly schedule is selected, defines the days of the week when the job
is to be run.
The default is Monday through Friday.
Run Time
Last Run
This read-only field specifies the last time (date and time) the job ran.
NOTE: Based on the clients current local date and time. The format used to
display this date and time is determined by the local machines regional and
language setting.
Next Run
This read-only field specifies the next time (date and time) when the job is
scheduled to run.
NOTE: Based on the clients current local date and time. The format used to
display this date and time is determined by the local machines regional and
language setting.
Select Finish.
120
Who tab
Use the Who tab when you want to purge or archive events generated by specific users, computers, or groups.
By default (when the Who tab is empty), change events generated by all users, computers, and groups will be
deleted from the database or archived.
When multiple who criteria is specified on this tab, Change Auditor uses the OR operator to evaluate change
events, purging or archiving events for activity performed by any of the users, computers or groups listed on
this tab.
From the Purge and Archive wizard, select the Purge option, and then enable Only selected events to
activate the criteria tabs.
Open the Who tab and click the Add tool bar button.
On the Select Active Directory Objects dialog, use the Browse or Search page to locate the user,
computer or group to be included. Once you have located a directory object, select it and click the Add
button to add it to the selection list at the bottom of the dialog.
Repeat this step to include each additional directory object.
After selecting one or more directory objects, click the Select button to save your selection and close
the dialog.
NOTE: Use the Add with Events tool bar button (instead of Add) to select users, computers, or
groups that already have an event associated with it in the database. Use this feature to purge
events tied to users who have been removed from Active Directory .
5
Change Auditor will now only purge or archive events generated by the user(s), computer(s) or group(s)
listed on the Who tab.
NOTE: To purge events NOT generated by the users, computers, or groups listed on the Who tab,
select the Exclude The Following Selection(s) check box at the top of the Who tab.
From the Purge and Archive wizard, select the Purge option, and then enable Only selected events to
activate the criteria tabs.
Open the Who tab and expand the Add tool bar button and click Add Wildcard Expression.
NOTE: If you used the Add With Events tool bar button instead, click the Add Wildcard Expression
button on the Add Users, Computer, or Groups dialog.
On the Add Who dialog, enter the wildcard expression to be used to search for users (domain\user name)
or groups (domain\group name).
Enter the pattern (character string and * wildcard character) to be used to search for a match.
Use the * wildcard character to match any string of zero or more characters.
By default, the wildcard expression will be used to search for users. To search for groups, select
the Group option.
121
NOTE: When using the Group option, the Group Membership Expansion option on the
Coordinator Configuration page (on the Administration Tasks tab) must be set to Expand all
groups.
4
Click OK to close the dialog and add the wildcard expression to the Who tab.
Change Auditor will now search for and purge or archive change events generated by the users that are
members of the groups whose name matches the specified wildcard expression.
What tab
Use the What tab to specify the what criteria to be used to determine whether an event is to be purged from
the database. By default (when the What tab is empty), all events regardless of the subsystem, event class,
object class, severity, or results will be purged or archived.
When multiple what criteria is specified on this tab, Change Auditor uses the AND operator to evaluate an
event, purging only those events that meet all the specified criteria. However, when multiple subsystems (such
as Active Directory, ADAM, and Exchange) are specified, Change Auditor uses the OR operator to evaluate
these entities, purging or archiving events that meet any of the specified subsystem criteria. This also applies
when multiple event classes are specified. That is, when multiple event classes are specified, Change Auditor
uses the OR operator purging or archiving any of the specified events.
From the Purge and Archive wizard, select the Purge option, and then enable Only selected events to
activate the criteria tabs.
Open the What tab, expand the Add tool bar button (or Add With Events tool bar button) and select the
appropriate option. When you select an option, an additional dialog appears allowing you to enter
specific criteria:
Subsystem | ADAM (AD LDS) - Select the agent that hosts the ADAM/LDS Instance dialog
122
Once you have selected or entered the specific criteria, click the Add button to add it to the selection
list at the bottom of the dialog.
Change Auditor will now search for and purge or archive change events that match the criteria listed on
the What tab.
Where tab
Use the Where tab to purge events captured by specific agents, domains, or sites. By default (when the Where
tab is empty), events captured by all agents will be purged or archived.
When multiple where criteria is added to this tab, Change Auditor uses the OR operator to evaluate events,
purging or archiving events that were captured by any of the specified agents, domains or sites.
From the Purge and Archive wizard, select the Purge option, and then enable Only selected events to
activate the criteria tabs.
Open the Where tab and click the Add tool bar button.
On the Choose the Agents, Domains or Sites to Include dialog, use the Browse or Search pages to locate
an individual agent, domain or site.
NOTE: You can also select the Grid View option to select an agent from a list rather than using the
Explorer View to locate it within your environment.
Once you have located an agent, domain or site, select it and click the Add button to add it to the
selection list at the bottom of the dialog.
Repeat this step to include each additional agent, domain or site.
Change Auditor will now search for and purge or archive change events captured by the agents, domains,
or sites listed on the Where tab.
NOTE: To purge or archive events NOT captured by the agents, domains, or sites listed on the
Where tab, select the Exclude The Following Selection(s) check box at the top of the Where tab.
From the Purge and Archive wizard, select the Purge option, and then enable Only selected events to
activate the criteria tabs.
Open the Where tab, expand the Add tool bar button and click Add Wildcard Expression.
NOTE: If you used the Add With Events tool bar button instead, click the Add Wildcard Expression
button on the Add Agents, Domains, Sites dialog.
On the Add Where dialog, enter the wildcard expression to be used to search for agents (NetBIOS name,
domains or sites.
Enter the pattern (character string and * wildcard character) to be used to search for a match.
Use the * wildcard character to match any string of zero or more characters.
By default, the wildcard expression will be used to search for agents. To search for domains or
sites, select the Domain or Site option.
Click OK to close the dialog and add the wildcard expression to the Where tab.
Dell Change Auditor 6.7
User Guide
123
Change Auditor will now search for and purge or archive change events captured by the agent(s),
domain(s) or site(s) whose name matches the specified wildcard expression.
Origin tab
Use the Origin tab to purge events originating from a specific workstation or server. By default, (when the Origin
tab is empty) events will be purged regardless of the workstation or server from which they originated.
When multiple origin criteria is specified on this tab, Change Auditor uses the OR operator to evaluate
events, purging or archiving events originating from any of the specified workstations or servers.
From the Purge and Archive wizard, select the Purge option, and then enable Only selected events to
activate the criteria tabs.
Open the Origin tab and click the Add tool bar button.
On the Add Origin dialog, enter the wildcard expression to be used to include workstations or servers,
based on their NetBIOS name or IP address:
Enter the pattern (character string and * wildcard character) to be used to search for a match.
Use the * wildcard character to match any string of zero or more characters.
Click OK to close the dialog and add the wildcard expression to the Origin tab.
Change Auditor will now search for and purge or archive change events originating from
workstations/servers whose machine name (NetBIOS name or IP address) matches the specified wildcard
expression.
NOTE: To purge or archive events NOT originating from the workstations or servers listed on the
Origin tab, select the Exclude The Following Selection(s) check box at the top of the Origin tab.
To select an originating workstation or server that has an event in the Change Auditor
database:
1
From the Purge and Archive wizard, select the Purge option, and then enable Only selected events to
activate the criteria tabs.
Open the Origin tab and click the Add With Events tool bar button.
The Add Origin dialog appears populated with originating workstations/servers that have an event
associated with it in the Change Auditor database.
NOTE: Use the Add Wildcard Expression button to enter a wildcard expression to include
workstations/servers from this list based on their NetBIOS name or IP address.
On the Add Origin dialog, select one or more originating workstations/servers from the list and click Add
to add it to the selection list at the bottom of the page.
Click OK to close the dialog and add the selected workstations to the Origin tab.
Change Auditor will now search for and purge or archive change events originating from the selected
workstations/servers.
124
13
Disable Private Alerts and Reports
Introduction
Introduction
Using the Private Alerts and Reports page on the Administration Tasks tab, administrators can disable alert
notifications and scheduled reports that were created under a users Private folder. This feature allows
administrators to clean up orphaned alerts and reports in all users private folders.
NOTE: Authorization to use the administration tasks on the Administration Tasks tab is defined using the
Application User Interface page. To disable private alerts/reports using the Private Alerts and Reports
page, you must be assigned to a role that contains the View Private Alerts and Reports, Disable Alert and
Disable Report operations. If you are denied access to the tasks on this page, refer to the Change Auditor
User Interface Authorization chapter.
This section provides a description of the disable private alert/report feature, including the Private Alerts and
Reports page and instructions on how to disable private alerts/reports from the Administration Tasks tab. For a
description of the dialogs mentioned in this chapter, refer to the online help.
Name
Displays the name assigned to the search query when it was created.
Folder
Displays the full folder path where the search query was saved.
Owner
Displays the name of the owner who created the private alert/report.
Alert
Indicates whether an alert has been enabled for the search query. Valid entries for this field are:
Enabled - which means that alerting is enabled for the search query and that at least one
transport method is enabled.
Dell Change Auditor 6.7
User Guide
125
Disabled - which means that the alert is disabled for the search query; however at least one
transport method is still enabled.
Report
Indicates whether reporting had been enabled for the search query. Valid entries for this field are:
Enabled - which means reporting is enabled for the search query and a report will be sent to the
specified recipient(s) as defined on the Report tab.
Disabled - which means previously enabled reporting has now been disabled for the search query.
Alert To
Displays the email address of any recipient(s) specified to receive an alert email notification (SMTP).
Alert Cc
Displays the email address of any carbon copy recipient(s) specified to receive an alert email
notification.
Alert Bcc
Displays the email address of any blind carbon copy recipient(s) specified to receive an alert email
notification.
Report To
Displays the email address of any recipient(s) specified to receive a report as defined on the Report tab.
Report Cc
Displays the email address of any carbon copy recipient(s) specified to receive a report email.
Report Bcc
Displays the email address of any blind carbon copy recipient(s) specified to receive a report email.
Click the Configuration task button at the bottom of the navigation pane (left pane).
On the Private Alerts and Reports page use one of the following methods to disable a private
alert/report:
Select the alert/report to be disabled and click the appropriate tool bar button: Disable Alert or
Disable Report.
Select the alert/report to be disabled, right-click and select the appropriate option: Disable
Alert or Disable Report.
The disabled status also appears on the Searches page for the selected search query. The user can use
the commands on the Searches page to re-enable alerting/reporting for a private search query.
126
14
Generate and Schedule Reports
Introduction
Publish reports
Introduction
Presenting audited information in a professional, concise and effective way is clearly as critical as gathering it
in the first place. The new scheduled reporting feature uses the same SMTP configuration defined for alerting to
distribute search query reports via email. In addition to email reporting, you can publish Change Auditor reports
to Microsoft SQL Server Reporting Services (SRS) or to the Dell Knowledge Portal which extends Microsoft
SQL Server Reporting Services to provide easy report management and delivery.
Change Auditors reporting features allow organizations to granularly discern which business units see which
types of data and also to set custom criteria for the types of information shared in the report. For example,
Administrators could pull reports highlighting how many times a particular event or category of events occurred
in the last 30 days or provide a more detailed accounting to articulate who made the changes, how many times,
and the before and after values associated with those changes. Whether for operations insight or security
reporting for management, Change Auditor provides reports that streamline reporting to meet any requirement.
This section provides a description of the reporting feature and instructions on how to generate reports using
the Change Auditor client, publish reports to Dell Knowledge Portal, and print or save the contents of the active
page. It also provides a description of the Report Layouts page and Report tab, which are used to define the
layout and distribution of a report. For a description of the dialogs mentioned in this chapter, refer to the online
help.
Report Layouts page (Administration Tasks tab) to create global templates that define the header and
footer information for reports. See Create global report template.
Layout tab (Search Properties tabs) to specify the data (columns) to be retrieved from the database and
displayed for the selected search. In addition, you can specify the column order, sort criteria and order,
and data grouping to be used for displaying the retrieved data. The settings on this tab are also used to
display the search results in the client. See Define report content and layout.
Report tab (Search Properties tabs) to enable reporting for a selected search query, specify the global
template to be used or choose to design a custom report using the report designer, and schedule the
distribution of the report. See Enable and schedule reporting.
127
Click the Configuration task button at the bottom of the navigation pane (left pane).
Select Report Layouts in the Configuration task list to open the Report Layouts page.
Click the Add tool bar button to display the New Report Layout dialog. Enter a descriptive name for the
new report template and click OK.
The report designer appears.
Use the controls in the tool bar to the left of the report grid to define the header and/or footer
information to be included. For example:
128
To add the report title to the page header pane, click the Text button
. Move the pencil cursor
in the heading pane where you want to place the report title and click. Open the System Variable
tab in the Text Editor, locate the ReportName variable. Double-click the variable to add it to the
text pane. Click OK to save your selection and close the Text Editor.
Back on the report grid, you can resize the {ReportName} text box to prevent the report titles
from being truncated. You can also use the settings in the Properties pane to modify the font,
size, color, etc.
To add a page footer (e.g., page number), click the Page Footer button
. Click on the report
grid and the page footer pane will be added to the bottom of the page. Use the arrow controls or
Height setting in the Properties pane to resize the footer pane.
To add the page number to the page footer pane, click the Text button. Move the pencil cursor in
the footer pane where you want to place the page number and click. Open the System Variables
tab in the Text Editor, locate the page number variable to be used (for example, PageNofM).
Double-click the variable to add it to the text pane. Click OK to save your selection and close the
Text Editor.
NOTE: This is an example of how to use the report designer to add a simple header and footer.
However, there are many more capabilities with the new report designer which uses
StimulReport.Net components. For a detailed description and functionality of each component
available for designing reports, click F1 to view the Stimulsoft online help (www.stimulsoft.com).
The new report template is added to the Report Layouts page (Administration Tasks tab) and is also now
available in the Layout drop-down menu on the Report tab (Search Properties tabs).
specify the format to be used for the report attachment (PDF, Html, Word, Text, Excel, CSV)
select the recipients who are to receive the report via email
Dell Change Auditor 6.7
User Guide
129
select the template to be used for the reports headers and footers or design a custom report layout
using the report designer
Description
Report Enabled
Select the Report Enabled check box to enable reporting for the current search
definition.
NOTE: This option becomes available only after a valid email address is entered
in the To field in the Report Configuration section of this tab.
Report Configuration
Layout
Specifies what report template is to be used for the reports headers and
footers.
The Default report template has been defined for you. To define additional
report templates, use the Report Layouts page on the Administration Tasks tab.
NOTE: This setting is disabled if you click the Design Report tool bar button to
define a custom report layout for the selected search.
Report
Every
On Days
When a Weekly report is selected, defines the days of the week when the report
is to be generated. The default is Monday through Friday.
On Day of Month
When a Monthly report is selected, specifies on which day of month the report is
to be generated:
First (default)
Last
Day #
Run Time
Reset
Use the Reset button to reset the settings back to the factory defaults.
130
Description
To
Enter the email address of the person(s) who are to receive the report.
You can also use the browse button
to locate and select the user(s) who are
to receive the report. Selecting this button displays one of the following dialogs:
where you can use the Browse or Search page to locate Active Directory
user(s). This dialog is displayed when no Exchange host is specified in the
SMTP Configuration pane of the Coordinator Configuration page.
The Search Users dialog allowing you to locate and select an Exchange
user (Exchange tab) or an Active Directory user (Active Directory tab).
This dialog is displayed when an Exchange host is defined in the SMTP
Configuration pane of the Coordinator Configuration page.
Click the Expand Properties button (right arrow) to the left of the To field to
enter additional recipients and/or change the subject. When expanded, you can
enter the following information:
To: Enter or use the browse button to specify the email address of users
who are to receive the report.
Reply: Enter or use the browse button to specify the email address to
which reply emails are to be sent.
Cc: Enter or use the browse button to specify the email address of users
who are to receive a copy of the report email.
Bcc: Enter or use the browse button to specify the email address of users
who are to receive a blind copy of the report email.
Click the Collapse Properties button (down arrow) to hide these additional
properties and show the other settings available on the Report Configuration
pane.
NOTE: You can enter an individual email address or distribution list in any of the
email address fields. Separate multiple email addresses with a semi-colon.
Attach
Columns
The report is sent as an email attachment. Select the appropriate Attach option
to define the format to be used for the report:
PDF (default)
Html
Word
Text
Excel
CSV
NOTE: These settings are disabled if you click the Design Report tool bar button
to define a custom report layout for the selected search.
Time Zone
Specifies the time zone to be used for the reports time stamp in the report
email. By default, the time zone of the machine where the Change Auditor client
resides will be used.
Last Run
This read-only field specifies the last time (date and time) the report ran.
Next Run
This read-only field specifies the next time (date and time) when the report is
scheduled to run.
131
To enable/schedule reporting:
NOTE: In order to distribute reports through email (SMTP) you must first enable email notifications on the
Coordinator Configuration page of the Administration Tasks tab. See Configure email alert
notifications/reports.
1
Expand the Private or Shared folders in the explorer view to locate the search to which reporting is to
be enabled. Select the search from the Search list in the right pane.
Open the Report tab and enter a valid email address in the To field and then select the Report Enabled
check box.
Report: Specify when the report is to be generated/sent (i.e., on a weekly or monthly schedule).
Run Time: Specify the time (based on the clients current local date and time) at which the report
is to be run.
Time Zone: Select the time zone to be used for the reports time stamp in the report email.
NOTE: See Table 24 for a detailed description of the report configuration settings.
Report To, Report Cc and Report Bcc columns display the email address of specified recipients.
Expand the Private or Shared folders in the explorer view to locate the search whose reporting is to be
disabled. Select the search from the Search list in the right pane.
Use one of the following methods to disable reporting for the selected search:
Open the Report tab and clear the Report Enabled check box. Click the Save tool bar button.
Open the Report tab for the selected search and click the Design Report tool bar button.
The report designer appears allowing you to create a custom report layout for the selected search.
132
NOTE: Once the report designer is launched, the Layout and Columns settings on the Report tab
for the selected search are disabled. To re-enable these settings, click the Reset button at the
bottom of the Report tab.
Publish reports
ChangeAuditor supports Microsoft's Microsoft SQL Server Reporting Services (SRS), providing a
comprehensive, server-based solution that enables the creation, management and delivery of both traditional,
paper and interactive web-based reports. In this implementation, administrators no longer need to traverse the
various auditing solutions to create the desired reports. Instead they can interact with a web-based reporting
portal and simply subscribe to the reports they want to see.
You can also publish Change Auditor reports to the Dell Knowledge Portal which extends Microsoft SQL Server
Reporting Services to provide easy report management and delivery.
NOTE: If you publish to SRS, reports are only available within the SRS reports website. Users will not be
able to access them through the Dell Knowledge portal. However, if you publish to the Dell Knowledge
Portal, reports will be available in both the SRS reports website and the Dell Knowledge Portal site.
Create the required QKP directory and a subdirectory under it called SharedDataSources.
NOTE: This is only required if this is the first time that you have installed the Dell Knowledge
Portal. If you have used it with any other Dell products, these directories will already have been
created.
Specify the installation folder and make sure to select the Dell Knowledge Portal.
A requirements check is run to ensure your system conforms to the system requirements. If everything
passes, select Proceed to Installation Wizard. If not, refer to the Dell Knowledge Portal documentation
for the list of minimum system requirements.
Specify the site and virtual directory where to install the Knowledge Portal and click Next.
Specify the SQL Reporting Services server URL where the Dell Knowledge Portal will be installed and click
Next.
IMPORTANT: This URL (Http://SQLServerName/Reports) will be used to create the required
directories.
Specify the default user name and password that will be used for:
133
Searching for accounts in Active Directory when granting access rights to report users
NOTE: This user account should be granted the Log on as a service right on Windows 2003based computers where the Dell Knowledge Portal is installed.
Dell has a Software Improvement Program to help identify and improve the features you use most. Select
the country where you are installing the Dell Knowledge Portal and click Next.
Open the SRS Reports URL entered during the installation (Http://SQLServerName/Reports).
Open the QKP directory and create a new folder called SharedDataResources.
You can now browse open the knowledge portal site (Http://servername/DellKnowledgePortal). The
page will be empty until you publish a report.
Expand the Private and Shared folders and select a folder in the explorer view to display the list of
search/report definitions stored in the selected folder.
From the right-hand pane, right-click a search/report definition and select Publish to Dell
Knowledge Portal. The Knowledge Portal Setup dialog appears allowing you to configure the SQL
Server Reporting services to be used and specify the report details. (To publish a series of reports
(folder), select a folder in the explorer view.)
If not already configured, select the Configure button to specify the reporting services and Change
Auditor shared data source to be used.
Enter the URL of the SRS server that is to host the ChangeAuditor reports For example:
http://<SQL_Server>/<ReportServer>
Where: <SQL_Server> is the name of the server hosting SRS and <ReportServer> is the name of the
report server virtual directory. (In a default Reporting Services installation, the name of the
virtual directory is reportserver.)
NOTE: Instead of entering the report server URL, you can click the Browse Knowledge
Portal Servers button to select a Change Auditor agent that has Dell Knowledge Portal
installed. Selecting an agent from the Eligible Change Auditor Agents dialog populates the
report server URL.
NOTE: This Windows account requires rights to create SRS reports and data sources on the
server (a.k.a. Content Manager).
Enter the user account and credentials to be used to access the Change Auditor database (data
source).
Once you have entered the requested information, Change Auditor will publish the reports to the
specified server, which will then be available through Dell Knowledge Portal.
134
Expand the Private and Shared folders and select a folder in the explorer view to display the list of
search/report definitions stored in the selected folder.
From the right-hand pane, right-click a search/report definition and select Publish reports using SQL
Reporting Services. This will display the Create Report dialog allowing you to configure the SQL Server
Reporting services to be used and to specify the report details. (To publish a series of reports (folder),
select a folder in the explorer view.)
If not already configured, select the Configure button to specify the reporting services and Change
Auditor shared data source to be used.
Enter the URL of the SRS server that is to host the ChangeAuditor reports For example:
http://<SQL_Server>/<ReportServer>
Where: <SQL_Server> is the name of the server hosting SRS and <ReportServer> is the name of the
report server virtual directory. (In a default Reporting Services installation, the name of the
virtual directory is reportserver.)
NOTE: You can use the Import SRS Settings button on the Reporting Services Setup dialog to
import a SQL Reporting Services template that was previously created to define the
necessary SRS settings or enter the SRS settings as defined below.
NOTE: This Windows account requires rights to create SRS reports and data sources on the
server (a.k.a. Content Manager).
Enter the user account and credentials to be used to access the Change Auditor database (data
source).
Once you have entered the requested information, Change Auditor will publish the reports to the
specified server, which will then be available through SQL Server Reporting Services.
Searches page - The search properties specified for the selected search are printed. You must select a
search from the searches list in the right page to enable the print options.
Search Results page - The data grid, pie chart or bar graph as it is displayed on this page is printed.
Coordinator Configuration page - The settings specified in the SMTP Configuration, Group Membership
Expansion and Agent Heartbeat Check panes are printed.
AD Attributes Auditing page - The attributes selected for auditing are printed.
ADAM (AD LDS) Attributes Auditing page - The attributes selected for auditing are printed.
Application User Interface page - Printing is not available for this page.
To print a page:
1
Open the page to be printed and click the Print tool bar button.
On the native Print dialog, specify your print options and the printer to be used.
NOTE: You may want to use the Print | Page Setup option in the Change Auditor client or
Preferences button on the Print dialog to change the page orientation to Landscape and decrease
the page margins prior to printing the pages that contain grids.
135
Click Print to close the dialog and send the displayed page to the designated printer.
Open the page to be printed, expand the Print tool bar button and select Print Preview.
Use the controls at the top of the preview screen to print the report, display multiple or selected pages,
zoom and close the preview screen.
Open the page to be saved to a file, expand the Print tool bar button and select one of the following
commands:
Print to File
Print to PDF
The native Save As dialog appears allowing you to specify the file name and location. Also if you clicked
the Print to File command, you can specify the type of file to be saved (.xls, .xlsx or .csv).
136
15
SQL Reporting Services Configuration
Introduction
Introduction
Change Auditor allows you to define SQL Reporting Services (SRS) templates that define all the necessary Report
Server information (URL and credentials) and Change Auditor data source information for publishing reports.
These templates can then be made available to users who choose to publish Change Auditor reports to SRS. That
is, when an authorized user attempts to publish a Change Auditor report to SRS using the Publish reports to SQL
Reporting Services right-click command on the Searches page, they can use the Import SRS Settings button on
the Reporting Services Setup dialog to import the settings defined in a SQL Reporting Services template to
publish their reports.
This section provides instructions for creating SQL Reporting Services templates, as well as a description of the
SQL Reporting Services page and SQL Reporting Services wizard. For a description of the other dialogs
mentioned in this chapter, refer to the online help.
Template
Displays the name assigned to the template when it was created.
Status
Indicates whether the template is enabled or disabled.
URL
This field is used for filtering data.
Authorized Accounts
This field is used for filtering data.
Dell Change Auditor 6.7
User Guide
137
Click the expansion box to the left of the Template name to expand this view and display the following details:
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter
characters into these cells, the client will redisplay the templates that meet the search criteria (i.e.,
comparison operator and characters entered).
URL
Displays the Report Server URL specified in the wizard.
Database
Displays the Data Source name of the database as specified in the wizard.
Authorized Account
Displays the accounts that are authorized to use this SQL Reporting Services template.
Select the Configuration task button at the bottom of the navigation pane (left-hand pane).
Select SQL Reporting Services in the Configuration task list to open the SQL Reporting Services page.
Use the Add tool bar button to launch the SQL Reporting Services wizard to define the report server and
data source information.
Enter the URL of the SRS server that is to host the Change Auditor reports
For example: http://<SQL_Server>/<ReportServer>
where: <SQL_Server> is the name of the server hosting SRS and <ReportServer> is the name of the
report server virtual directory. (In a default Reporting Services installation, the name of the
virtual directory is reportserver.)
Enter the user account, credentials and domain for a Windows account the has permissions to
copy files to SRS.
NOTE: This Windows account requires rights to create SRS reports and data sources on the
server (a.k.a. Content Manager).
Enter the user account and credentials to be used to access the Change Auditor database (data
source).
On the second page of the wizard, select the user or group accounts that are authorized to use this
template to publish Change Auditor reports to SRS.
NOTE: The user and group accounts entered on this page are the ONLY accounts that are allowed
to import the settings in this template to publish Change Auditor reports to SRS. For example, the
first time an authorized user selects the Import SRS Settings button on the Reporting Services
Setup dialog, the Change Auditor Administrators will not be able to import the settings in this
template to publish reports to SRS unless they are also added as an authorized account on this
page.
Use the Browse or Search pages to locate and select the accounts to be included in the template. Use
the Add button to add these accounts to the list box at the bottom of the page.
Dell Change Auditor 6.7
User Guide
138
Select Finish to create the template and return to the SQL Reporting Services page.
Now when an authorized user attempts to publish a Change Auditor report to SRS using the Publish reports to
SQL Reporting Services right-click command on the Searches page, they can use the Import SRS Settings
button on the Reporting Services Setup dialog to import the settings defined in this template to publish their
reports.
To modify a template:
1
On the SQL Reporting Services page, select the template to be modified and select the Edit tool bar
button or right-click command.
This will display the SQL Reporting Services wizard, where you can modify the report server and data
source settings and authorized accounts included in the template.
To disable a template:
The disable feature allows you to temporarily disable the use of a template without having to remove it from
Change Auditor.
1
On the SQL Reporting Services page, use one of the following methods to disable a template:
Click in the Status cell for the template to be disabled and select Disabled
The entry in the Status column for the template will change to Disabled.
2
To re-enable a template, use the Enable option in either the Status cell or right-click menu.
To delete a template:
1
On the SQL Reporting Services Auditing page, use one of the following methods to delete a template:
Select the template to be deleted and use the Delete | Delete Template tool bar button
A dialog will be displayed confirming that you want to delete the selected template. Select Yes.
Enter a descriptive name for the SQL Reporting Services template being
created.
139
Enter the URL for the SQL Reporting Services (SRS) server that will be hosting
the Change Auditor reports.
For example: http://<SQL_Server>/<ReportServer>
where <SQL_Server> is the name of the server hosting SRS and <ReportServer>
is the name of the report server virtual directory.
User
Enter a user name for a Windows account that has credentials to copy files to a
SQL Reporting Service.
Password
Enter the password associated with the user name entered above.
Domain
Enter the domain for the Windows account to be used to access SRS.
Authentication
User
Enter a user name for the account to be used to access the Change Auditor
data source.
Password
Enter the password associated with the user name entered above.
Domain
Enter the domain for the user account to be used to access the Change Auditor
data source. This only applies to Windows Authentication.
Test
Use the Test button at the bottom of the dialog to verify the credentials
entered in the SQL Server Reporting Services section at the top of the dialog.
Select Accounts Authorized to Use This SQL Reporting Services Service Template page
When you enter a user or group account on this page, you are defining which users/groups are allowed to use
this template to publish Change Auditor reports to SRS. That is, only users who are listed on this page (or users
in any groups listed on this page) will be able to use the Import SRS Settings button on the Reporting Services
Setup dialog to select this SRS template.
Browse Page
Search Page
Use the controls at the top of the Search page to search your environment to
locate the desired user or group account.
Once you have selected an account, use the Add button to add it to the list box
at the bottom of the page.
Options Page
Use the Options page to modify the search options or global catalog used to
retrieve directory objects.
140
The list box located across the bottom of this page, displays the accounts that
are authorized to import the SRS settings in this template to publish Change
Auditor reports to SRS. Use the buttons located above this list box to add and
remove objects.
Select a user or group in the Browse or Search page and select the Add button
to add it to the list.
Select an entry from the list and then select the Remove button to remove it.
141
16
Change Auditor User Interface
Authorization
Introduction
Introduction
Role-based access control allows you to assign users/groups to roles based on their job functions and grant
these roles permissions to perform related tasks. Role-based access control can be broken down into the
following entities that are used to define who can do what:
Role: a logical group of users and the tasks they are allowed to perform
Authorization for using the different features of the Change Auditor client is defined using the Application User
Interface Authorization page. From this page on the Administration tab, you can add new task and role
definitions or delete user-defined roles and tasks that are no longer being used.
By default, the following roles and tasks are defined; therefore, no action is required on your part to start using
the Change Auditor client:
Administrator Role - has full administrator privileges with access to all aspects of the Change Auditor
Client, Change Auditor Web Client and deployment of Change Auditor agents
Operator Role - has only operator privileges with limited access to the Change Auditor client (e.g. these
users can define and run searches, but they cannot access the Administration, Statistics or Deployment
pages) and access to perform all tasks except the administration functions in the Change Auditor web
client
Web Client Shared Overviews Role - has view access to the Change Auditor web client shared overviews;
while restricting access to only what has been shared
AD Protection Task - grants access to Active Directory and Group Policy protection tasks
Web Client Shared Overviews Task - grants view access to web clients shared overviews
During the Change Auditor installation, you added user accounts to the Change Auditor security groups
(ChangeAuditor Administrators - <InstallationName> and ChangeAuditor Operators - <InstallationName>). These
security groups are automatically added as members of the appropriate role (Administrator Role and Operator
Role). If applicable, during the Change Auditor web client installation, you may have also added user accounts
Dell Change Auditor 6.7
User Guide
142
to the ChangeAuditor Web Shared Overview Users security group. This additional security group is added as a
member to the Web Client Shared Overviews role.
NOTE: The Administrator, Operator and Web Client Shared Overviews roles and tasks cannot be removed,
renamed or edited.
In addition, using the AD Protection role and task, Change Auditor administrators can specify who is authorized
to view protection definitions for Active Directory and Group Policy objects. Refer to the Dell Change Auditor
for Active Directory User Guide for more information on restricting access to specific domains and
organizational units.
This section provides a description of the Application User Interface Authorization page. It also provides
instructions for adding task definitions, role definitions and application groups to define who can use the
different features available in the Change Auditor client. For a description of the other dialogs mentioned in
this chapter, refer to the online help.
The Application User Interface Authorization page contains an expandable view of the role and task definitions
which define role-based access. To add a role or task, use the appropriate Add tool bar command: Add | Add
Role Definition or Add | Add Task Definition.
143
Name
Displays the name assigned to the role or task definition when it was created.
Type
Indicates the type of definition:
Role
Task
Description
Displays the description entered when the role or task definition was created.
Click the expansion box to the left of a Role Definition to expand this view and display the following details:
Member
Displays the user and group accounts that are assigned as members of the selected role.
Type
Indicates the type of account in the selected role:
Group
User
Application Group
Description
Displays the description from the Members tab of the Authorization Role dialog when the role was
created.
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter
characters into these cells, the client will redisplay the roles or tasks that meet the search criteria (i.e.,
comparison operator and characters entered). For more details about using the data filtering function
provided throughout the Change Auditor client, see Filter data.
Click the Configuration task button at the bottom of the navigation pane (left pane).
Select Application User Interface in the Configuration task list to open the Application User Interface
Authorization page.
Expand the Add tool bar button and click the Add Task Definition command.
On the Task page of the Authorizations: Task dialog, enter the following information:
Open the Definition tab and add the operations and lower-level tasks that can be performed:
To add a lower-level task, click the Add Task button and select a task from the Authorizations:
Task Definitions dialog.
Dell Change Auditor 6.7
User Guide
144
To add an operation, click the Add Operation button and select one or more operations from the
Authorizations: Operations dialog.
Click the OK button to save your new task definition and close the Authorizations: Task dialog.
This task will now be included in the task list on the Authorizations: Task Definitions dialog and can be
included in a role definition.
Task definitions are also listed on the Application User Interface Authorization page.
Click the Add tool bar button or expand the Add button and click Add Role Definition.
On the Authorizations: Role dialog, enter the following on the Role tab:
Open the Definition tab to add a role, task or operation to this role:
To add a role, click the Add Role button and select a role from the Authorizations: Role
Definitions dialog.
To add a task, click the Add Task button and select a task from the Authorizations: Task
Definitions dialog.
To add an operation, click the Add Operation button and select one or more operations from the
Authorizations: Operations dialog.
Open the Members tab to add a user, group or application group to this role.
To add an application group, click the Add Application Group button and select an application
group from the Authorizations: Application Groups dialog.
To add a user or group, click the Add User or Group button, which will display the Select one or
more Directory Objects dialog. Use the Browse page or Search page to locate and select the user
and/or group account(s) to be added.
NOTE: If a user or group account is added to multiple access roles, the account will have the
authority to perform the operations defined in the more authoritative role.
Click the OK button to save your new role definition and close the Authorizations: Role dialog.
Role definitions are displayed on the Application User Interface Authorization page.
145
Authorization Manager (AzMan) where you can define a group of users without having to go through
Expand the Add tool bar button and click Add Application Group.
On the Group tab of the Authorizations: Application Group dialog, enter the following information:
Select one of the following methods which is to be used to define a group of users:
Basic (default)
LDAP Query
NOTE: Basic groups are a lot like Active Directory groups; however you can define both included
and excluded members. LDAP query groups allow you to define an LDAP query to dynamically
create a group of users who are similar. Refer to the Windows Authorization Manager
documentation for more information on basic and LDAP query groups.
Open the Members tab and add the users and groups that are to be members of this application group.
To add an application group, click the Add Application Group button and select an application
group from the Authorizations: Application Groups dialog.
To add a user or group, click the Add User or Group button, which will display the Select Active
Directory Objects dialog. Use the Browse page or Search page to locate and select the user(s)
and/or group(s) to be added.
Optionally, open the Non-Members tab and add the users and groups that are to be excluded from this
application group.
To add an application group, click the Add Application Group button and select an application
group from the Authorizations: Application Groups dialog.
To add a user or group, click the Add User or Group button, which will display the Select Active
Directory Objects dialog. Use the Browse page or Search page to locate and select the user(s)
and/or group(s) to be added.
Click the OK button to save your new role definition and close the Authorizations: Role dialog.
When the selected member(s) now try to define Active Directory protection they will be restricted to
defining protection for the selected domain or organizational unit.
146
17
Enable/Disable Event Auditing
Introduction
Introduction
Change Auditor provides in-depth, real-time auditing for key Active Directory configuration changes. Change
Auditor allows you to enable/disable the auditing of individual events so that Change Auditor is auditing only
those events that are vital to your organizations operation. In addition, Change Auditor allows you to modify
the severity level (high, medium, or low) and description assigned to each event. The severity level is used by
Change Auditor when processing events and to help you in determining the potential level of risk associated
with each configuration change event.
This section provides a description of the Audit Event page (Administration Tasks tab) which is used to
enable/disable event auditing and modify an events severity level or description. In addition, it provides
information on how to set up Change Auditor to capture events based on the results of the operation performed
in the event.
147
Description
Severity
Low
Medium
High
When your cursor is placed in this cell, a drop-down arrow is added allowing you to
change an events severity setting.
Facility Name
Event Class
Status
License Type
Results
Displays the type of Change Auditor license required for each event:
Any License
Active Directory
AD Query
Authentication Services
Cloud Storage
Defender
EMC
Exchange
File System
Logon Activity
Lync
NetApp
SharePoint
SonicWALL
SQL
Displays the result criteria used to capture change events. That is, you can use the
options in this column to specify if an event is to be captured based on the results of the
operation mentioned in the event.
Success Only
For example, if you only want to capture successful events where the operation
occurred as stated in the event, you would set this to Success Only. Then, if the change
was prevented from occurring as stated in the event (because the object was protected
by Change Auditor or the operation was prevented due to a factor/setting outside of
Change Auditors control) the associated event would not be captured.
148
event log.
Click the Auditing task button at the bottom of the navigation pane (left pane) of the Administration
Tasks tab.
Select Audit Events (under the Configuration heading in the Auditing task list) to display the Audit
Events page.
Select one or more enabled events and click the Disable tool bar button. (Use the Shift or Ctrl
keys to select multiple events.)
Select an enabled event, place your cursor in the corresponding Status cell, click the arrow
control and select Disabled from the drop-down menu.
Select one or more disabled events and click the Enable tool bar button. (Use the Shift or Ctrl
keys to select multiple events.)
Select a disabled event, place your cursor in the corresponding Status cell, click the arrow
control and select Enabled from the drop-down menu.
NOTE: You can also disable or enable an event using the Disable/Enable tool bar button at the top of the
Event Details pane on a Search Results page.
Select one or more events and click the appropriate Severity (High, Medium or Low) tool bar
button. Use the Shift or Ctrl keys to select multiple events.
Select an event, place your cursor in the corresponding Severity cell, click the arrow control and
select the appropriate severity level from the drop-down menu.
Right-click an event and select the appropriate severity level from the context menu.
To reset an events severity to the factory default, select one or more events and click the Default tool
bar button.
Dell Change Auditor 6.7
User Guide
149
Select the event from the list and click the Edit tool bar button.
This will display the Rename dialog listing the existing description and allowing you to enter a new
description for the selected event.
In the New field, enter the new description for the selected event and click OK.
Success Only - capture event only if the operation occurred as stated in the event.
Success and Failed Only - capture event if the operation occurred as stated in the event or if it was
prevented due to a factor/setting outside of Change Auditors control.
Success and Protected Only - capture event if the operation occurred as stated in the event or if it was
prevented because the object was protected using Change Auditors protection feature.
Place your cursor in the Results cell for that event, click the arrow control and select one of the
following options:
Success Only
Change Auditor will now only capture and return the event if the operation mentioned if the event
meets the results criteria selected.
Select an event from the list and click the Knowledge Base tool bar button or right-click command.
This will open the Event Reference Guide.
150
18
Account Exclusion
Introduction
Introduction
The account exclusion feature allows you to define a list of trusted accounts which are to be excluded from the
Change Auditor auditing process. This enables you to exclude events generated by accounts that make a large
number of changes or by accounts which are trusted.
To use the account exclusion feature, you must first complete the following steps to define the user/computer
accounts that can make changes without triggering an event in Change Auditor:
1
Create an Excluded Accounts template which specifies the user and/or computer accounts that are to be
excluded from the auditing process. For more information on creating a template, refer to Excluded
Accounts templates.
Add this template to an agent configuration. For more information on how to add a template to an agent
configuration, refer to Define agent configurations.
Assign the agent configuration to Change Auditor agents. For more information on how to assign an agent
configuration to an agent, refer to Assign agent configurations to server agents.
This section provides instructions for creating Excluded Accounts templates, as well as a description of the
Excluded Accounts page and Excluded Accounts wizard. For a description of the other dialogs mentioned in this
chapter, refer to the online help.
Template
Displays the name assigned to the template when it was created.
Status
Indicates whether the template is enabled or disabled. To enable/disable the template, place your
cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down
menu.
Dell Change Auditor 6.7
User Guide
151
Account
This field is used for filtering data.
Operations
If specified, displays the event classes and/or facilities specified on the first page of the wizard that are
to be excluded for the account.
Click the expansion box to the left of the Template Name to expand this view and display the following details
about the template:
Type
Displays the type of account (i.e., user, computer or group) selected for exclusion as specified on the
second page of the wizard.
Account
Displays the name of the account selected for exclusion.
Display Name
If available, displays the display name assigned to the excluded accounts listed.
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter
characters into these cells, the client will redisplay the templates that meet the search criteria (i.e.,
comparison operator and characters entered). For more details about using the data filtering function
provided throughout the Change Auditor client, see Filter data.
Click the Auditing task button at the bottom of the navigation pane (left-hand pane).
Select Excluded Accounts (under the Configuration heading in the Auditing task list) to open the
Excluded Accounts Auditing page.
Click the Add tool bar button to launch the Excluded Accounts wizard which will step you through the
process of creating an Excluded Accounts template.
To add individual event classes, select one or more events from the displayed list and click
the Add | Add This Event button.
To add all the events in a facility, select an event from the facility and click the Add | Add
All Events in Facility button.
After providing a name and optionally selecting the facilities/event classes to be excluded, click Next.
152
On the second page of the wizard, select the accounts that are to be excluded from Change Auditor
auditing.
Use the Browse or Search pages to locate and select the account to be excluded. Click the Add button to
add the selected account to the list box at the bottom of the page.
Repeat this step to add additional accounts to the exclusion list.
(Optional) To specify a wildcard search expression to dynamically exclude additional user accounts from
auditing, click Next.
On the Select Accounts to Exclude using Wildcards page, add the accounts to be excluded from auditing.
In the text box, enter the wildcard expression (string of characters and/or wildcard character) to be
used to search the Domain(NetBIOS)\NT 4 account name for matching users:
Click the Add button to add the string to the Account list.
NOTE: This page should be used to exclude multiple users that match the wildcard search
expression. Explicitly named user accounts must be specified on the previous page of the wizard.
8
After specifying the accounts to be excluded, click the Finish button to create the template without
assigning it to an agent configuration.
Clicking the Finish button will create the template, close the wizard and return to the Excluded
Accounts Auditing page, where the newly created template will now be listed.
To create the template and assign it to an agent configuration, expand the Finish button and click Finish
and Assign to Agent Configuration.
This will display the Configuration Setup dialog, allowing you to select the agent configuration to which
the template is to be assigned.
NOTE: Back on the Excluded Accounts Auditing page, you can also use the Assign tool bar button to
assign the selected template to an agent configuration. Clicking this button will display the
Configuration Setup dialog allowing you to select the agent configuration to which this template is
to be assigned.
10 On the Agent Configuration page, select the agent(s) assigned to use the modified agent configuration
and click the Refresh Configuration tool bar button. This will ensure the agent(s) are using the latest
configuration.
NOTE: If you do not refresh the agents configuration, the agent will automatically check for a new
agent configuration based on the polling interval setting (located on the System Settings tab of the
Configuration Setup dialog). The default is every 15 minutes.
On the Excluded Accounts Auditing page, select the template to be modified and click the Edit tool bar
button or right-click command.
This will display the Excluded Accounts wizard, where you can modify the current list of accounts
included in the template.
Click the Finish button or expand the Finish button and click Finish and Assign to Agent Configuration.
153
On the Auditing page, use one of the following methods to disable an auditing template:
Place your cursor in the Status cell for the template to be disabled, click the arrow control and
select Disabled.
The entry in the Status column for the template will change to Disabled.
2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
On the Auditing page, use one of the following methods to delete a template:
Select the template to be deleted and click the Delete | Delete Template tool bar button.
A dialog will be displayed confirming that you want to delete the selected template. Click Yes.
On the Excluded Accounts Auditing page, use one of the following methods to delete an account from an
auditing template:
Select the account to be deleted and click the Delete | Delete Excluded Account tool bar button
A dialog will be displayed confirming that you want to delete the account from the template. Click Yes.
NOTE: If the account is the last one in the template, deleting this account will also delete the
template.
154
Template Name
Enter a descriptive name for the Excluded Accounts template being created.
Facility/Event Class data The data grid located across the middle of the page displays all of the event classes
grid
available for auditing in Change Auditor.
By default, all event classes/facilities will be excluded for the selected account(s).
To exclude individual event classes and/or facilities, use this grid to select the
event class(es) and/or facilities to be excluded and use the Add button to add them
to the Exclusion list box at the bottom of the page.
NOTE: The Change Auditor Internal Auditing facility or events CANNOT be excluded.
Exclusion list
The list box located at the bottom of this page displays the individual event classes
or facilities selected for exclusion. Use the buttons above this list box to add or
remove entries from this list.
Add | Add This Event - Click this option to add the selected events to the
list box. This option is selected by default when more than one event is
selected in the data grid.
Add | Add All Events in Facility - Click this option to add all of the events in
the selected facility to the list box. This option is only available when a
single event is selected in the data grid.
Remove - Select an entry in the list box and click the Remove button to
remove it from the template.
NOTE: If you want to exclude all event classes/facilities for the selected account,
this list box will be empty.
155
Browse page
Search page
Use the controls at the top of the Search page to search your environment to locate
the desired account.
Once you have selected an account, click the Add button to add it to the list box at
the bottom of the page.
Options page
Use the Options page to modify the search options used to retrieve directory
objects.
NOTE: For more information on using the Browse, Search or Options pages, refer to Directory object picker.
Account list
The list box located across the bottom of this page, displays the accounts selected
for exclusion. Use the buttons located above this list box to add and remove
objects.
Add - Select an account in the Browse or Search page and click the Add
button to add it to the list.
Remove - Select an entry from the list and then click the Remove button to
remove it.
156
In the text box, enter the string of characters and/or wildcard character to be used
to search for additional user accounts that are to be excluded from auditing. Valid
wildcards are:
Click the Add button to add the string to the Account list.
Account list
The list at the bottom of the page displays the wildcard search expressions to be
used to search for additional user accounts that are to be excluded from auditing.
Use the buttons to the left of the text box to add, remove and modify a search
expression.
Add - Click the Add button to add the search expression in the text box to
the Account list.
Remove - Select an entry in the Account list and click the Remove button to
remove it from the list.
Modify - Select an entry in the Account list, make the necessary changes to
the search expression (which is displayed in the text box) then click the
Modify button to replace it in the Account list.
NOTE: If you click the Add button after modifying a search expression, an
additional entry will be added instead of replacing the original search expression.
157
19
VMware Auditing
Introduction
Introduction
Change Auditors VMware
auditing feature helps you ensure the security, compliance and control of event
activity and the security of VMware vCenter . It manages, audits, reports and alerts on vital changes to
VMwares infrastructure, including datacenters, hosts, virtual machines and other resources associated with
vCenter or ESX
hosts.
NOTE: Throughout the Change Auditor product and documentation, references to ESX means all
supported versions of ESX and ESXi.
This section provides a description of the VMware Auditing page and explains how to create a VMware Auditing
template. It also provides a description of the VMware Auditing wizard used to specify the VMware hosts that
are to be audited. For a description of the dialogs mentioned in this chapter, refer to the online help.
VMware Auditing templates specifying the VMware host(s) to be audited. You can also edit existing templates,
disable/enable templates and delete templates that are no longer being used.
The VMware Auditing page contains an expandable view of all the VMware Auditing templates that have been
previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following
information is displayed for the template:
Template
Displays the name assigned to the template when it was created.
Status
Indicates whether the template is enabled or disabled. To enable/disable the template, place your
cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down
menu.
Agent
Displays the name of the Change Auditor agent assigned to audit the selected VMware host(s).
Dell Change Auditor 6.7
User Guide
158
User
Displays the name of the user being used to access the VMware host(s) that are being audited.
VMware Hosts
This field is used for filtering data.
Click the expansion box to the left of the Template name to expand this view and display additional details
about an auditing template.
VMware Host
Displays the name or IP address of the vCenter Server or VMware host being audited, as entered on the
first page of the wizard.
Status
Indicates whether auditing of the selected host is enabled or disabled.
Port
Displays the port number being used to access the selected vCenter Server or VMware host.
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter
characters into these cells, the client will redisplay the templates that meet the search criteria (i.e.,
comparison operator and characters entered). For more details about using the data filtering function
provided throughout the Change Auditor client, see the Dell Change Auditor User Guide.
To enable VMware auditing in Change Auditor, you must first create a VMware Auditing template which
specifies the VMware hosts to be audited and the Change Auditor agent to be used to monitor the selected
VMware hosts.
NOTE: If you add multiple machines (such as vCenter Servers and/or ESX hosts) to a single auditing
template, all of these machines must use the same credentials. If you want to audit machines that use
different credentials, you must create a different VMware Auditing template for each of these machines.
Click the Auditing task button at the bottom of the navigation pane (left pane).
Select VMware (under the Applications heading in the Auditing task list) to open the VMware Auditing
page.
Use the Add tool bar button to launch the VMware Auditing wizard which will step you through the
process of creating a VMware Auditing template.
159
VMware Host - Enter the IP address or name (the name entered must be resolvable) of the
vCenter Server or of an individual host computer to be audited and click the Add button to add it
to the VMware Host list.
NOTE: To audit one or more hosts on a specific vCenter Server, use the Find ESX Hosts
button to search for and select the ESX host(s) to be audited. Clicking this button displays
the Find ESX Hosts dialog, where you will be asked to enter the information/credentials for
the vCenter Server for which you want to view ESX hosts. After entering the vCenter Server
information/credentials, click Search to retrieve a list of hosts. Select one or more hosts
from the list and click OK to save your selection and close the dialog. The selected hosts
will now be displayed in the VMware Host list in the auditing wizard.
Click Next to select the Change Auditor agent to be used for VMware auditing.
Click the Set Credentials button and enter the credentials to be used to access the selected vCenter
Server or VMware host(s). After entering the credentials, click the OK button to close the credentials
dialog.
IMPORTANT: You can select an account with Read-Only access or role (for restrictions) to properly
audit VMware events. The credentials entered may be Active Directory or Linux credentials
depending on the machine (vCenter Server vs. individual host computer) selected for auditing.
If you specified multiple machines (i.e., vCenter Servers and/or ESX hosts) in the auditing
template, all of these machines must use the same credentials.
A desktop notification indicates whether access is granted or denied to the specified vCenter Server or
VMware host based on the credentials entered.
9
When valid credentials are entered, a Certificate Notice is displayed for each machine selected for
auditing. Click OK to accept the certificate(s). Once valid credentials are supplied and the certificate(s)
have been accepted, click the Finish button to close the wizard and create the template.
10 On the Administration Tasks tab, click the Configuration task button at the bottom of the navigation
pane. Select Agent in the Configuration task list to open the Agent Configuration page.
11 Select the Change Auditor Agent assigned to the VMware Auditing template (Auditing appears in the
VMware column) and click the Refresh Configuration tool bar button or right-click command. This will
ensure the agent is using the latest configuration.
NOTE: If you do not refresh the agents configuration, the agent will automatically check for a new
agent configuration based on the polling interval setting (located on the System Settings tab of the
Configuration Setup dialog). The default is every 15 minutes.
On the Auditing page, use one of the following methods to disable an auditing template:
Place your cursor in the Status cell for the template to be disabled, click the arrow control and
select Disabled.
160
The entry in the Status column for the template will change to Disabled.
2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
On the VMware Auditing page, use one of the following methods to disable the auditing of a VMware
host:
Place your cursor in the Status cell for the host to be disabled, click the arrow control and select
Disabled
The entry in the Status column for the host will change to Disabled.
2
To re-enable the auditing of a host, use the Enable option in either the Status cell or right-click menu.
On the Auditing page, use one of the following methods to delete a template:
Select the template to be deleted and click the Delete | Delete Template tool bar button.
A dialog will be displayed confirming that you want to delete the selected template. Click Yes.
The following table provides a description of the fields and controls in the VMware Auditing wizard.
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your
cursor over this icon displays a tool tip explaining what needs to be entered.
161
Template Name
VMware Host
Enter a descriptive name for the VMware auditing template being created.
Enter the IP address or name (must be resolvable) of the vCenter
VMware host that is to be audited.
Server or of a
Add
After entering the IP address or name of a host in the VMware Host text box, use
the Add button to add the host to the VMware Host selection list.
Clicking this button displays the Find ESX Hosts dialog allowing you to search a
vCenter Server to select the ESX hosts that are to be audited. On this dialog,
enter the IP address or name (and port) of the vCenter Server for which you want
to view ESX hosts. Click Search to retrieve a list of hosts on the selected vCenter
Server. Select one or more hosts from the list and click OK to save your selection
and close the dialog.
Remove
To remove a host from auditing, select it in the VMware Host selection list and
click the Remove button to the right of the list box.
VMware Host selection list This list box displays the following information about the VMware hosts selected
for auditing.
VMware Host - Displays the IP address or name of the host selected for
auditing.
Port - Displays the port to be used for communication. This will display the
default SSL port (443). If this is not the correct port number for a host, use
the arrow controls to change it.
162
Browse
Clicking the Browse button displays the Eligible Change Auditor Agents dialog
allowing you to select an agent from the list of deployed agents.
NOTE: The Eligible Change Auditor Agents dialog only lists eligible servers running
.NET 4.0 Framework, which is a requirement for the agent selected to audit
VMware.
Once an agent is selected the following details are displayed:
Set Credentials
Agent
Domain
Agent FQDN
User (after valid credentials have been entered using the Set Credentials
button)
Clicking the Set Credentials button displays the VMware Host Credentials dialog
allowing you to enter the credentials to be used to access the machine(s) (vCenter
Servers and/or hosts) selected on the first page of the wizard.
NOTE: If you specified multiple machines (i.e., vCenter Servers and/or ESX hosts)
in the auditing template, all of these machines must use the same credentials.
NOTE: Valid credentials must be entered in order to proceed.
Clear Credentials
Clicking the Clear Credentials button allows you to clear previously entered
credentials.
Once a Change Auditor agent has been selected, the following information is
displayed:
Agent
Domain
Agent FQDN
User
163
Use the VMware tab at the top of the Configuration Setup dialog to define the polling interval to be used to
retrieve VMware events.
Polling Interval
This setting determines how often the agent will poll the VMware host(s) for new VMware events. The
default is every 60 seconds. Use the arrow controls to increase or decrease this value.
Valid range: 60 - 9999 seconds.
164
20
Registry Auditing
Introduction
Introduction
The ability to audit registry settings improves operational efficiency dramatically. For example, some
applications, such as virus scanning software, modify registry keys when an update is installed. By capturing
these change events proactively, administrators can determine whether or not specific machines received an
update.
Furthermore, other applications may warrant the tracking of modifications to certain registry settings to ensure
that they have not been tampered with. Change Auditors enhanced registry auditing feature allows you to audit
changes to a specific key or to a folder and its sub folders.
To capture registry events in Change Auditor, you must first complete the following steps to define the registry
keys to be audited and the events to be captured:
1
Create a Registry Auditing template which specifies the registry keys and events to be audited. For more
information on creating a Registry Auditing template, refer to Registry Auditing templates.
Add this template to an agent configuration. For more information on adding a Registry Auditing
template to an agent configuration, refer to Define agent configurations.
Assign the agent configuration to Change Auditor agents. For more information on assigning an agent
configuration to an agent, refer to Assign agent configurations to server agents.
NOTE: Event logging is disabled by default; and when enabled, only configured activities will be captured
in the Windows event log.
This section provides instructions for creating Registry Auditing templates, as well as a description of the
Registry Auditing page and Registry Auditing wizard. For a description of the other dialogs mentioned in this
chapter, refer to the online help.
165
The Registry Auditing page contains an expandable view of all the Registry Auditing templates that have been
previously defined. To add a new template to the list, use the Add tool bar button. Once added, the following
information is provided for the template:
Template
Displays the name assigned to the template when it was created.
Status
Indicates whether the template is enabled or disabled. To enable/disable the template, place your
cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down
menu.
Registry Keys
This field is used for filtering data.
Click the expansion box to the left of the Template name to expand this view and display additional details
about an auditing template.
Registry Key
Displays the name of the file path for the registry key in the HKEY_LOCAL_MACHINE hive which was
selected for auditing on the Key page of the wizard.
Status
Indicates whether auditing of the registry key is enabled or disabled. To enable/disable the auditing of
the registry key, place your cursor in this Status cell, click the arrow control and select the appropriate
option from the drop-down menu.
Dell Change Auditor 6.7
User Guide
166
Scope
Displays the scope selected for this template on the Key page of the wizard:
Value
If applicable, this column displays the specific value selected for auditing (only applies to This object
and child objects only scope).
Operations
Displays the events selected for auditing on the Events page of the wizard. Hover your mouse over this
cell to view all of the events included in the template.
Exclude
Displays the names of the sub keys to be excluded from auditing as specified on the Exclusions tab of the
wizard.
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter
characters into these cells, the client will redisplay the templates that meet the search criteria (i.e.,
comparison operator and characters entered). For more details about using the data filtering function
provided throughout the Change Auditor client, see Filter data.
Click the Auditing task button from the bottom of the navigation pane (left-hand pane).
Select Registry (under the Server heading in the Auditing task list) to open the Registry Auditing page.
Click the Add tool bar button to launch the Registry Auditing wizard which will step you through the
process of creating a Registry Auditing template.
Enter or use one of the Browse options to locate and select the registry key in the HKEY_LOCAL_MACHINE
hive to be audited.
Selecting the Browse | Local Registry option displays the Select registry key dialog allowing you
to select a registry key from the local server.
Selecting the Browse | Remote Registry option displays the Select Active Directory Object dialog
allowing you to select the server whose registry you would like to browse. Use the Browse or
Search pages to locate and select the server. On the Select registry key dialog select the registry
key to be audited.
Once you have selected the registry key to be audited, click the Add button to add it to the selection
list.
Repeat this step to add additional registry keys to the template.
Dell Change Auditor 6.7
User Guide
167
For each registry key listed, select the key in the list and perform steps 8 - 11 to specify the scope,
events, values and optionally any sub keys that are to be excluded.
In the Scope cell, use the drop-down menu to select the scope of coverage:
On the Events tab select the key and value events that are to be included in the audit.
NOTE: Selecting the Key Events or Value Events check box at the top of the events list on the
Events tab will select all of the events listed under the heading. Similarly, clearing the check boxes
will clear all of the selected events.
10 If you selected the This object and child objects only option in the Scope cell, you can also specify a
specific value for the selected key. To audit a specific value, open the Value tab and enter the value in
the text box provided.
11 (Optional) On the Exclusions tab, add the names of any sub keys to be excluded from auditing. Use one
of the Browse options to locate and select a sub key under the selected registry key to be excluded from
auditing:
Selecting Browse | Local Registry displays the Select registry key dialog allowing you to select a
sub key from the local server.
Selecting Browse | Remote Registry displays the Select Active Directory Object dialog allowing
you to select the server whose registry you would like to browse. Use the browse or search pages
to locate and select the server. From the Select registry key dialog, select the sub key to be
excluded.
NOTE: If you select a sub key that does not belong to the selected registry key, the wizard will not
allow you to continue. A red flashing icon is displayed indicating that you have selected a sub key
outside of the selected registry key.
You can also enter the name of the sub key to be excluded or use a file mask to select a group of sub
keys. A file mask can contain any combination of the following:
Fixed characters such as letters, numbers and other characters allowed in sub key names.
Once you have specified a sub key for exclusion, click the Add button to add it to the Exclusions list at
the bottom of the page.
Repeat this step to add additional sub keys to the Exclusions list.
12 To create the template without assigning it to an agent configuration, click the Finish button.
Clicking the Finish button will create the template, close the wizard and return to the Registry Auditing
page, where the newly created template will now be listed.
13 To create the template and assign it to an agent configuration, expand the Finish button and click the
Finish and Assign to Agent Configuration option.
This will display the Configuration Setup dialog allowing you to select the agent configuration to which
this template is to be assigned.
NOTE: On the Auditing page, you can also use the Assign tool bar button to assign the selected
template to an agent configuration. Clicking this button will display the Configuration Setup dialog
allowing you to select the agent configuration to which this template is to be assigned.
14 On the Agent Configuration page, select the agent(s) assigned to use the modified agent configuration
and click the Refresh Configuration tool bar button. This will ensure the agents use the latest
configuration.
168
NOTE: If you do not refresh the agents configuration, the agent will automatically check for a new
agent configuration based on the polling interval setting (located on the System Settings tab of the
Configuration Setup dialog). The default is every 15 minutes.
On the Registry Auditing page, select the registry key whose properties are to be modified, and click the
Edit tool bar button or right-click command.
This will display the Registry Auditing wizard, where you can modify the following properties:
Registry key
Scope
Once you have made your modifications, click the Finish button or expand the Finish button and click
Finish and Assign to Agent Configuration.
On the Auditing page, use one of the following methods to disable an auditing template:
Place your cursor in the Status cell for the template to be disabled, click the arrow control and
select Disabled.
The entry in the Status column for the template will change to Disabled.
2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
On the Registry Auditing page, use one of the following methods to disable an individual registry key:
Place your cursor in the Status cell for the registry key to be disabled, click the arrow control and
select Disabled from the drop-down menu
The entry in the Status column for the registry key will change to Disabled.
2
To re-enable the auditing of a registry key, use the Enable option in either the Status cell or right-click
menu.
On the Auditing page, use one of the following methods to delete a template:
Select the template to be deleted and click the Delete | Delete Template tool bar button.
A dialog will be displayed confirming that you want to delete the selected template. Click Yes.
169
On the Registry Auditing page, use one of the following methods to delete a registry key from an auditing
template:
Select the registry key to be deleted and click the Delete | Delete Registry Key tool bar button
Select the template to be deleted and click the Edit tool bar button or right-click command. On
the Registry Auditing wizard, select the registry key to be removed and click the Remove button.
A dialog will be displayed confirming that you want to delete the registry key from the template. Click
Yes.
NOTE: If the registry key is the last one in the template, deleting this registry key will also delete
the template.
Template Name
Enter a descriptive name for the Registry Auditing template being created.
Enter or use one of the browse options to select the registry key in the
HKEY_LOCAL_MACHINE hive to be audited.
170
Local Registry - select this option to browse and select a registry key
from the local computer
Remote Registry - select this option to browse and select a registry key
from a remote server. Selecting this option displays the Select Active
Directory Object dialog allowing you to select the server whose registry
you would like to browse. Use the browse or search pages to locate and
select the server.
NOTE: Make sure that the selected remote computer is on the network, has
remote administration enabled and that both computers are running the
remote registry service. If the remote computer does not allow remote admin
access, a message will be displayed explaining that you need to select a
different server.
Registry Keys list
The list box located across the middle of the page displays the registry keys to
be included in the Registry Auditing template. Use the Add and Remove
buttons to control the contents of this list:
Add - Use the Add button to add the specified registry key to the
template.
Remove - Select a registry key from the list and click the Remove
button to remove the selected registry key from the template.
Use the drop-down box in the Scope cell of the list box to specify the scope of
coverage:
This object only - select this option to audit only this key, not its values
or sub keys.
This object and child objects only - select this option to audit this key,
its values and direct sub keys only. This is not recursive.
This object and all child objects - select this option to audit this key,
all sub keys and all values. (Default)
Select a key in this list to enable the corresponding Events, Value and
Exclusions tabs at the bottom of this page.
Events tab
Use the Events tab to select the type of events (e.g., registry key added, registry key deleted) that are to be
audited for the selected registry key. The contents of this tab is based on the entry selected above in the
Registry Keys list.
Key Events
Select the Key events to audit. Select the Key Events check box to select all of
the Key events listed or select individual events from the list.
Value Events
Select the Value events to audit. Select the Value Events check box to select
all of the Value events listed or select individual events from the list.
171
To exclude a sub key in the selected registry key from being audited, expand
the browse button and select one of the browse options to browse either the
local or remote server for the sub key.
You can also enter the name of the sub key to be excluded from auditing. Use a
file mask to select a group of sub keys. A file mask can contain any combination
of the following:
Once you have specified a sub key for exclusion, click the Add button to add it
to the Excluded Keys list at the bottom of the page.
172
Local Registry - select this option to select a sub key from the local
server.
Remote Registry - select this option to select a sub key from a remote
registry. Selecting this option displays the Select Active Directory
Object dialog allowing you to select the server whose registry you would
like to browse. Use the browse or search pages to locate and select the
server.
NOTE: Make sure that the selected remote computer is on the network, has
remote administration enabled and that both computers are running the
remote registry service. If the remote computer does not allow remote admin
access, a message will be displayed explaining that you need to select a
different server.
Excluded Keys list
The list across the bottom of this page contains the sub keys that are to be
excluded from auditing. Use the Add and Remove buttons to add and remove
entries.
Add - Use the Add button to add the specified sub key to the Excluded
Keys list.
Remove - Select an entry in the Excluded Keys list and click the
Remove button to remove it.
173
21
Service Auditing
Introduction
Introduction
Windows services are the backbone of applications and require frequent administrator actions. Changes can
be simple, such as changing a startup type or service account password. But, even the simple changes can cause
major issues. In fact, in this case it would render an application useless to its users. Change Auditor provides
service auditing capabilities, including the ability to track who starts and stops a service.
To capture service events, you must first complete the following steps to define the services to be audited:
1
Create a Service Auditing template which specifies the system service(s) to be audited or excluded from
auditing. For more information on creating a template, refer to Service Auditing templates.
NOTE: On an upgrade, Change Auditor will apply a default Service Auditing template to the Default
Configuration which will audit all services as the product did in the past. To specify individual
services, you will need to modify this auditing template for the Default Configuration or create and
apply a new Service Auditing template.
Add this template to an agent configuration. For more information on how to add a template to an agent
configuration, refer to Define agent configurations.
Assign the agent configuration to Change Auditor agents. For more information on how to assign an agent
configuration to an agent, refer to Assign agent configurations to server agents.
NOTE: Event logging is disabled by default; and when enabled, only configured activities will be captured
in the Windows event log.
This section provides instructions for creating Service Auditing templates, as well as a description of the Service
Auditing page and Service Auditing wizard. For a description of the other dialogs mentioned in this chapter,
refer to the online help.
174
The Service Auditing page contains an expandable view of all the Service Auditing templates that have been
previously defined. To add a new template to this list, use the Add tool bar button. Once added, the following
information is provided for each template:
Template
Displays the name assigned to the template when it was created.
Status
Indicates whether the template is enabled or disabled. To enable/disable the template, place your
cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down
menu.
Exclude
Displays the option selected to determine which services are to be included or excluded from auditing:
Audit ALL
Audit ONLY
Services
This field is used for filtering data.
When individual services have been included in a Service Auditing template, click the expansion box to the left
of the Template name to expand this view and display the following details:
Service
Displays the name of the service(s) included in the template.
Status
Indicates whether auditing of the service is enabled or disabled. To enable/disable the auditing of the
service, place your cursor in this Status cell, click the arrow control and select the appropriate option
from the drop-down menu.
Display Name
Displays the display name for the listed services.
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter
characters into these cells, the client will redisplay the templates that meet the search criteria (i.e.,
comparison operator and characters entered). For more details about using the data filtering function
provided throughout the Change Auditor client, see Filter data.
175
Click the Auditing task button at the bottom of the navigation pane (left-hand pane).
Select Services (under the Server heading in the Auditing task list) to open the Services Auditing page.
Click the Add tool bar button to launch the Service Auditing wizard which allows you to define the
system services to be included in the template.
Select one of the following options to define whether this template is to include or exclude system
services for auditing:
If you selected either the Audit ALL services except the following or the Audit ONLY the following
services option, the data grid will be activated allowing you to select the services to be included or
excluded depending on the option selected.
From the services listed, select one or more services and click the Add button to move them to the list
box located at the bottom of the page. Or you can use the Add All button to move all of the services
listed to the list box.
If you would like to view the services on a different server, click the browse button to the far right of the
field entitled You are viewing services on.
Clicking the browse button will display the Select a Directory Object dialog, where you can use either
the Browse or Search pages to locate and select a different server. After selecting the server to be
viewed, click the Select button to close the dialog and display the services found on the selected server.
To create the template without assigning it to an agent configuration, click the Finish button.
Clicking the Finish button will create the template, close the wizard and return to the Services Auditing
page, where the newly created template will now be listed.
10 To create the template and assign it to an agent configuration, expand the Finish button and click Finish
and Assign to Agent Configuration.
This will display the Configuration Setup dialog allowing you to select the agent configuration to which
this template is to be assigned.
NOTE: Back on the Auditing page, you can also use the Assign tool bar button to assign the selected
template to an agent configuration. Clicking this button will display the Configuration Setup dialog
allowing you to select the agent configuration to which this template is to be assigned.
11 On the Agent Configuration page, select the agent(s) assigned to use the modified agent configuration
and click the Refresh Configuration tool bar button. This will ensure the agent(s) are using the latest
configuration.
NOTE: If you do not refresh the agents configuration, the agent will automatically check for a new
agent configuration based on the polling interval setting (located on the System Settings tab of the
Configuration Setup dialog). The default is every 15 minutes.
To modify a template:
1
On the Services Auditing page, select the template to be modified and click the Edit tool bar button or
right-click command.
This will display the Service Auditing wizard, where you can modify the current list of services included
in the template.
Click the Finish button or expand the Finish button and click Finish and Assign to Agent Configuration.
176
To disable a template:
The disable feature allows you to temporarily stop auditing the specified service without having to remove the
auditing template or individual service from an active template.
1
On the Auditing page, use one of the following methods to disable an auditing template:
Place your cursor in the Status cell for the template to be disabled, click the arrow control and
select Disabled.
The entry in the Status column for the template will change to Disabled.
2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
On the Services Auditing page, use one of the following methods to disable a service:
Place your cursor in the Status cell for the service to be disabled, click the arrow control and
select Disabled
The entry in the Status column for the service will change to Disabled.
2
To re-enable the auditing of a service, use the Enable option in either the Status cell or right-click
menu.
To delete a template:
1
On the Auditing page, use one of the following methods to delete a template:
Select the template to be deleted and click the Delete | Delete Template tool bar button.
A dialog will be displayed confirming that you want to delete the selected template. Click Yes.
On the Services Auditing page, use one of the following methods to delete a service from an auditing
template:
Select the service to be deleted and click the Delete | Delete Service tool bar button
Select the template to be modified and click the Edit tool bar button or right-click command. On
the wizard, select the service to be deleted and click the Remove button.
A dialog will be displayed confirming that you want to delete the service from the template. Click Yes.
NOTE: If the service is the last one in the template, deleting this service will also delete the
template.
177
Template Name
Enter a descriptive name for the Service Auditing template being created.
Inclusion/Exclusion options
If you selected either the Audit ALL services except the following or the
Audit ONLY the following services option, the data grid will be activated
allowing you to select the services to be included or excluded depending on
the option selected.
Select the service(s) to be included in the template and click the Add button
to add them to the list box at the bottom of the dialog.
Displays the name of the server from which the service data grid was
populated.
Use the browse button to the right of this field to select a different server. The
services found on the selected server will then be displayed.
Services list
The list box located across the bottom of the page displays the individual
services to be included in the Services Auditing template. Use the buttons
above this list box to add or remove services.
Add - Use the Add button to add the service(s) selected in the Services
data grid to the list.
Add All - Use the Add All button to add all of the services listed in the
Service data grid to the list.
Remove - Select a service entry in the list and click the Remove button
to remove it from the template (move it back into the Services data
grid).
NOTE: If you want to audit all services, this list will be empty.
178
22
Agent Statistics and Logs
Introduction
Introduction
In addition to the overview information provided in the Top Agent Activity pane and Agent Status pane on the
Overview page, Change Auditor provides two additional means of obtaining agent status and statistics:
The Agent Statistics page provides a global view of all installed (and if selected, uninstalled) Change
Auditor agents, including the current status and other usage statistics for each agent.
The Change Auditor Agent Status dialog, which is accessed using the Change Auditor agent system tray
icon, provides the status and usage statistics for a single agent.
You can also view or retrieve agent trace logs from the Agent Statistics page or by using the Change Auditor
agent system tray icon.
This chapter provides a description of the Agent Statistics page as well as the agent system tray component and
explains how to use these features to maintain Change Auditor agents.
Agent Statistics grid, located at the top of the page, consists of a list of Change Auditor agents and their
current status and usage statistics.
Resource Properties pane, located across the bottom of the page, displays additional information about
the selected agent.
179
The Agent Statistics grid may contain the following information for each agent. The default column identifies
the fields that are displayed by default. To display different fields, click the Field Chooser button
the far left of the column headings and select the columns to be displayed:
located to
NOTE: All dates and times are based on the clients current local date and time. The format used to
display the date and time is determined by the local machines regional and language setting.
Default
Active Directory
No
Description
ADAM
No
Agent
Yes
Displays the NetBIOS name of the server that hosts a Change Auditor
agent.
Agent FQDN
No
Architecture
No
Configuration
No
Coordinator
No
DB Size
Yes
Domain
Yes
EMC
No
No
Auditing template
Displays the number of events encountered on the agent during the past
24 hours from when the dialog is initially opened during the current
client session.
The value in this field is a hypertext link and when selected launches a
quick search to display the events generated in the last 24 hours.
No
180
Default
Description
Events Today
Yes
Events Total
Yes
Displays the number of events encountered since the agent was started.
The value in this field is a hypertext link and when selected launches a
quick search to display all events encountered since the agent was
started.
Events Yesterday
No
Exchange
No
Exchange Server
No
Exclude Account
No
File System
No
Forest
No
Group Policy
No
IP Address
No
Last Update
Yes
Displays the date and time when the agent configuration was last
updated.
Load
Yes
Message
Yes
NetApp
No
Registry
No
Service
No
SharePoint
No
SQL
No
Auditing template
Auditing
181
Default
Description
Startup Time
No
Displays the date and time when the agent was last initialized.
Status
Yes
Type
No
active
inactive
uninstalled
Domain Controller
Global Catalog
Server
Workstation
Uptime
Yes
Version
No
VMware
No
Workstation
No
In addition to selecting the fields to be displayed in the grid, you can use the drop-down controls above the grid
to define what servers/workstations are to be included on the Agent Statistics page.
The following table describes how to use these controls to filter the content displayed on the Agent Statistics
page.
Table 32. Agent Statistics page: Filter controls
Control
Description
Type
Use the left-most control to specify the type of objects to be included in the
display:
By default, the Agent Statistics page provides a forest view of the servers found.
However, you can use the right-most controls to limit your view to an individual
domain or site.
Use the middle control to select the Active Directory view (forest, domain or site)
then use the right-most control to select an individual forest, domain or site for
which servers are to be displayed.
182
select an agent from the Agent Statistics grid and click the Show Properties tool bar button
right-click an agent entry on the Agent Statistics grid and select Show Properties
in the upper right-hand corner of the Resource Properties pane to hide this
NOTE: The Resource Properties pane also appears when you use the Related Search | View Resources
tool bar option on an Event Details pane. When accessed using the Event Details pane, the additional
information is for the server referenced in the selected event.
The Resource Properties pane is divided into the following tabbed pages:
Processors page
Drives page
Shares page
Services page
Description
TimeZone
Offset (Hours)
The amount of time the unitary computer system is offset from Coordinated
Universal Time (UTC).
Operating System
The left pane contains the following operating system details:
OS
Version
Installed
The date and time when the operating system was installed on the machine.
Last Restart
The date and time when the machine was last restarted.
183
Table 33. Resource Properties pane: Machine Info page field descriptions
Field
Description
Language
SKU
Service Pack
The version number of the latest Service Pack installed on the system.
Windows
The Windows
Computer System
The right pane contains the following computer system information:
Computer
Host Name
The name of the local computer according to the domain name server (DNS).
Domain
Domain Role
The role assigned to the computer within a domain workgroup. Possible values
include:
0: Standalone Workstation
1: Member Workstation
2: Standalone Server
3: Member Server
Model
Roles
System Type
Physical Memory
Processors page
The Processors page contains the following information about the processors on the selected server.
Table 34. Resource Properties pane: Processors page field descriptions
Field
Description
AddressWidth
The size (or width) of the address bus, which indicates the maximum amount of
RAM a processor can address. Possible values include:
Architecture
0: x86
1: MIPS
2: Alpha
3: PowerPC
5: ARM
6: Itanium-based systems
9: x64
Caption
DataWidth
The size (or width) of the external data bus, which defines the rate at which data
can be moved into or out of the processor. Possible values include:
184
Description
ExtClock
Family
L2CacheSize
The amount of cache memory available for the Level 2 processor cache.
L2CacheSpeed
L3CacheSize
The amount of cache memory available for the Level 3 processor cache.
L3CahceSpeed
Manufacturer
MaxClockSpeed
Name
NumberOfCores
NumberOfLogical
Processors
The number of logical processors for the current instance of the processor.
OtherFamilyDescription
ProcessorId
ProcessorType
1: Other
2: Unknown
3: Central Processor
4: Math Processor
5: DSP Processor
6: Video Processor
Revision
Stepping
UniqueId
Version
VoltageCaps
1: 5 volts
2: 3.3 volts
4: 2.9 volts
Drives page
The Drives page contains the following information about the drives that are configured on the selected server.
Table 35. Resource Properties pane: Drives page field descriptions
Field
Description
DeviceID
InterfaceType
Manufacturer
Model
Partitions
Size
185
Shares page
The Shares page contains the following information about the shared resources that are configured for the
selected server.
Table 36. Resource Properties pane: Shares page field descriptions
Field
Description
AllowMaximum
The maximum number of concurrent users that can connect to the shared resource.
Caption
Name
Path
Services page
The Services page contains the following information about the services installed on the selected server.
Table 37. Resource Properties pane: Services page field descriptions
Field
Description
Description
DisplayName
The display name used by user interface programs to identify the service.
Name
PathName
The fully qualified path of the executable file for the service.
ProcessId
ServiceType
StartMode
Kernel Driver
Adapter
Recognizer Driver
Own Process
Share Process
Interactive Process
base service:
186
Description
StartName
The name of the account under which the service should run.
State
Stopped
Start Pending
Stop Pending
Running
Continue Pending
Pause Pending
Paused
Unknown
Red - inactive
Yellow - initializing
You can load the agent system tray icon using one of the following methods:
Click the Advanced Options tool bar button on the Deployment page to launch the Advanced
Deployment Options dialog. From this dialog, select the Yes option for the Launch ServiceStatusTray on
startup setting.
NOTE: By default, the Do not change option will be selected which indicates that you want to use
the current setting for the agent system tray icon. That is, if you already have it set to launch on
startup it will continue to operate that way. Similarly, it will not launch on startup if this is a clean
install and you have not previously set it up to do so.
187
By right-clicking on the agent system tray icon, a context menu is displayed which consists of the following
commands:
Table 38. Agent system tray icon: Right-click commands
Command
Description
Agent Status
Use the Agent Status command to display the Change Auditor Agent Status dialog
which assists you in determining if the agent is running, what version is installed,
and how active the agent is. See Change Auditor Agent Status dialog for a full
description of this status dialog.
Enable/Disable Agent
Use the Enable/Disable Agent command to start or stop the Change Auditor agent
service.
Use the Find More Connections command to seek out more coordinators in a
forest than the agent automatically found.
NOTE: An agent automatically connects to a coordinator in its own site. However,
if a coordinator is not available in the site it will then search for a coordinator in
the forest.
When the agent is connected to a coordinator that is not currently running, use
the Retry Connections command to reattempt to connect to a coordinator.
Refresh Configuration
Coordinator Credential
Configurator
forest.
NOTE: This command is only available when you install a Change Auditor agent on
a workgroup server.
View Agent Log
Use the View Agent Log command to launch the log viewer to review the events
recorded in the Change Auditor agent log (ChangeAuditor.dll.nptlog).
For example: %ProgramFiles%\Dell\ChangeAuditor\Agent\ChangeAuditor.dll.nptlog
Load on startup
Use the Load on startup command to automatically load the system tray
application when the Change Auditor agent service starts.
About
Use the About command to display information about the Change Auditor agent
including the installed version number and licensing information.
Exit
188
Agent Information - displays the status, version number, the coordinator installation name to which the
agent is connected, and the agents database size
Coordinator Connection - displays information regarding the connection between the agent and the
Change Auditor coordinators
Description
Agent Information
Agent is
Version
This field displays the current version of the agent installed on the server.
Installation Name
This field displays the installation name assigned to the coordinator to which the agent
is connected.
DB Size (KB)
This field displays the size of the agent database, in kilobytes. This is dependent on the
number of monitored Active Directory , registry and file system objects, and the
number of events queued for transmission to the coordinator. If a coordinator is not
available, this database may become large. When the events are successfully sent to a
coordinator, the database space is re-used for subsequent events, but the displayed
database size will not decrease.
License
This field displays the Change Auditor licenses that are applied. Use the arrow controls
to scroll through the licenses.
189
Description
Events
The Events section contains indicators of internal Change Auditor activity and may be used by Dell Support
should they need to diagnose Change Auditor agent problems.
AD Events
If licensed (Change Auditor for Active Directory), this is the number of Active
Directory related events processed by the agent. This field will be blank for agents
running on member servers.
ADAM Events
If licensed (Change Auditor for Active Directory), this is the number of ADAM events
processed by the agent.
Exchange Events
If licensed (Change Auditor for Exchange) and configured, this is the number of
Exchange Mailbox events processed by the agent.
Local Security
Events
If licensed (Change Auditor for Active Directory), this is the number of local user and
group (SAM) events processed by the agent.
If licensed (Change Auditor for Windows File Servers) and configured, this is the number
of File System events processed by the agent.
Registry Events
VMware Events
SQL Events
If licensed (Change Auditor for SQL Server) and configured, this is the number of SQL
Server
NetApp Events
EMC Events
SharePoint Events
If licensed (Change Auditor for NetApp) and configured, this is the number of NetApp
filer events processed by the agent.
If licensed (Change Auditor for EMC) and configured, this is the number of EMC
processed by the agent.
events
If licensed (Change Auditor for SharePoint) and configured, this is the number of
SharePoint
Other Events
This is the number of events processed by the agent that do not fit into the other
event categories (e.g., Authentication Services events, Service events, etc.).
Logon Events
If licensed (Change Auditor for Logon Activity User), this is the number of user logon
activity events processed by the agent.
SonicWALL Events
If licensed (Change Auditor for SonicWALL) this is the number of SonicWALL events
processed by the agent.
Excluded Events
If configured, this is the number of events excluded by the agent because they
originated from a user or computer that was defined as an excluded account.
Coordinator Connection
Status
This field displays the current status of the agent/coordinator connection: connected or
not connected.
Coordinators
This field displays the computer name (and SCP port) of the Change Auditor
coordinator(s) to which this agent is currently connected.
NOTE: For more details on agent connection behavior, see Appendix A: Installation
Notes and Best Practices in the Dell Change Auditor Installation Guide.
This field displays the time when the agent last downloaded the agent configuration
information/settings.
This field provides the local time when the last event was sent. If no events have been
detected by Change Auditor recently, this time may be fairly old.
190
Description
Events Sent
This field displays the number of events that have been sent to a coordinator since the
agent was last started.
Acknowledged
This field displays the number of events that a coordinator has acknowledged.
Normally, this value will be the same as the Events Sent. However, it may be smaller if
the coordinator is not running or if a large number of events are being processed by the
coordinator which may be slowing it down. Events may also be lost due to
communication problems, in which case the Change Auditor agent will try to re-send the
events.
Events Waiting
This field displays the number of events in the agent database that are waiting to be
forwarded to a coordinator.
This value should be at or near zero when the server is idle, but can grow if it is busy. If
the value never returns to zero, it may indicate that the agent is having difficulty
communicating with the coordinator service. If this is the case, contact Technical
Support for assistance.
Open the Overview page and if the Top Agent Activity pane is not displayed, click the arrow on the
heading of one of the overview panes and select Top Agent Activity.
This pane displays the top most active Change Auditor agents in your environment, based on the data
range specified.
By default, the agent activity on all servers for the past month, excluding uninstalled agents, will be
displayed. Use the controls at the top of this pane to specify the type of agented objects to be included
as well as the date range.
The values in the Audited Events column are links, which when selected will open up a new Search
Results tab to display the related details for these events.
If the Agent Status pane is not displayed, click the arrow on the heading of one of the overview panes
and select one of the following commands:
By default, this pane will only include active and inactive (installed) agents in the pie chart. You can
however, select the Show Uninstalled Agents check box to include agents that are set as uninstalled in
the pie chart.
Double-clicking the pie chart will display the Agent Statistics page.
Click the Show Uninstalled Agents tool bar button to include uninstalled agents. Click the Hide
Uninstalled Agents tool bar button to exclude uninstalled agents from the display.
The values in the different event columns are links, which when selected will open up a new Search
Results tab to display the related details for these events.
191
To view agent status/statistics on the current agent only (agent system tray icon):
NOTE: The agent system tray icon can be loaded using one of the following methods:
Click the Advanced Options tool bar button on the Deployment page to display the Advanced
Deployment Options dialog. From this dialog, select the appropriate Launch ServiceStatusTray on
startup option (Yes or Do not change).
Right-click the system tray icon and select the Agent Status command.
This will display the Change Auditor Agent Status dialog, which displays agent information (including if
the agent is running), event activity for the agent and coordinator connection information.
Select the agent to be stopped and click the Stop Agent tool bar button or right-click command.
NOTE: The Stop Agent command is only available when an agent is Active.
In addition, a desktop notification will be displayed in the lower right-hand corner of your screen
explaining that the selected agent is being disconnected from a specific coordinator.
Once disconnected, the agents status will be changed to Inactive on the Agent Statistics page.
If you so choose, click the Set Agent Uninstalled tool bar button or right-click command to flag the
selected agent as Uninstalled.
Click the Show Uninstalled Agents tool bar button to include uninstalled agents in the Agent Statistics
list. Click the Hide Uninstalled Agents tool bar button to exclude uninstalled agents from the display.
From the server where the agent is installed, right-click the agent system tray icon and select Disable
Agent.
In addition, a desktop notification will be displayed in the lower right-hand corner of your screen
explaining that the selected agent is being disconnected from a specific coordinator.
Once disconnected, the agent system tray icon will contain a red light
inactive.
192
Select a previously stopped agent and click the Start Agent tool bar button or right-click command.
NOTE: The Start Agent command is only available when an agent is Inactive.
An information message will be displayed explaining that it may take a few minutes to start the agent.
Click OK to start the agent.
In addition, a desktop notification will be displayed in the lower right-hand corner of your screen
explaining that the selected agent is being connected to a specific coordinator.
Once connected, the agents status will return to Active on the Agent Statistics page.
From the server where the agent is installed, right-click the agent system tray icon and select Enable
Agent.
In addition, a desktop notification will be displayed in the lower right-hand corner of your screen
explaining that the selected agent is being connected to a specific coordinator.
Once connected, the agent system tray icon will no longer contain a red or yellow button indicating that
the agent is now active.
Windows Management Instrumentation (WMI) must be enabled in the firewall rule set (usually
domain) on the workstation
Remote Registry Service must be set to Start Automatically. By default, this service is stopped
and set to Manual for Windows 7 and Windows 8/8.1.
The data grid and event details pane on this page contains the following information for each log entry. The
default column in the table below identifies the fields that are displayed in the data grid by default. To display
different fields, click the Field Chooser button
Default
Description
File
No
Specifies the name of the source file that logged the message.
Function
No
ID
No
193
Default
Description
Level
Yes
Line
No
Specifies the line within the source file that logged the message.
Logger
No
Message
Yes
Thread
No
Specifies the thread within the source file that logged the message.
Timestamp
Yes
Displays the date and time when the entry was posted to the log.
NOTE: Based on the clients current local date and time. The format used to
display this date and time is determined by the local machines regional and
language setting.
Use the tool bar buttons at the top of the log page to scroll through the log and search for log entries.
Table 41. Agent Log page: Tool bar buttons
Refresh
Use to refresh and reload the log entries from the source file.
NOTE: Not available when the log page is launched using the View
Agent Log command.
Copy
Use to copy the selected content to the clip board. Use with the Select
All button to copy and paste the contents of the entire log into another
application.
Select All
Use to select the entire contents of the log. Use with the Copy button
to copy and paste the contents of the log into another application.
Find:
Use to locate entries that match the case as it was entered in the
search text.
Previous
Use to move to the previous entry that contains the search text.
Next
Use to move to the next entry that contains the search text.
Use one of the Print options to print or save the contents of the log.
Click the Logs | Open Log tool bar button or right-click command.
On the Open Log File dialog, use the controls at the top of the dialog to locate the Change Auditor log to
be viewed. Select the log file and click Open.
This will open a new page in the Change Auditor client which displays the log entries for the selected
log.
194
Whenever an entry is highlighted in the top pane, the corresponding details will be displayed in the
Event Details pane across the bottom of the screen.
Use the tool bar buttons as described above to search the log for a specific entry, to copy and paste the
contents of this log for use in another application, and print or save the contents of this log.
Select one or more agents from the list and click the Logs | Get All Logs tool bar button or right-click
command.
On the Browse for Folder dialog, select the location where the logs for the selected agent(s) are to be
saved. Click the OK button to save your selection.
NOTE: If necessary, use the Make New Folder button to create a new folder for these logs.
Select one or more agents from the list and click the Logs | View Agent Log tool bar button or rightclick command.
This will open a new page in the Change Auditor client which displays the selected agents log
(ChangeAuditor.dll.nptlog). If multiple agents were selected, multiple log pages will be created.
Whenever an entry is highlighted in the top pane, the corresponding details will be displayed in the
Event Details pane across the bottom of the screen.
In addition, when an error is highlighted in the top pane and there is a call stack available for that error,
an Exception pane will also be displayed.
Use the tool bar buttons as described above to search the log for a specific entry, to copy and paste the
contents of this log for use in another application, and to print or save the contents of this log.
On the server where the agent is installed, right-click the Change Auditor agent system tray icon and
select View Agent Logs.
This will launch the log viewer allowing you to review the events recorded in the selected agents log
(ChangeAuditor.dll.nptlog).
195
23
Coordinator Statistics and Logs
Introduction
Introduction
In addition to the overview information provided in the Coordinator Status pane on the Overview page, Change
Auditor provides two additional means of obtaining coordinator status and statistics:
The Coordinator Statistics page provides a global view of all installed Change Auditor coordinators,
including the current status and other usage statistics for each coordinator.
The Change Auditor Coordinator Status dialog, which is accessed using the Change Auditor coordinator
system tray icon, provides the status and usage statistics for a single coordinator.
You can also view or retrieve coordinator trace logs from the Coordinator Statistics page or by using the
coordinator system tray icon.
This chapter provides a description of the Coordinator Statistics page as well as the Coordinator System tray
component and explains how to use these features to maintain Change Auditor coordinators.
located to the far left of the column headings and select the columns to be displayed:
NOTE: All dates and times are based on the clients current local date and time. The format used to
display the date and time is determined by the local machines regional and language setting.
196
Default
Description
Agents Connected
Yes
No
Displays the number of alerted event entries in the last 24 hours of the
coordinator operation.
The value in this field is a hypertext link and when selected displays the
alerts generated in the last 24 hours.
No
Alerts Today
Yes
Displays the number of alerted event entries since local midnight today.
The value in this field is a hypertext link and when selected displays the
alerts generated since local midnight today.
Alerts Total
No
Alerts Yesterday
No
Displays the number of alerted event entries from local midnight today
to local midnight yesterday.
The value in this field is a hypertext link and when selected displays the
alerts generated yesterday.
Architecture
No
Client Port
Yes
Coordinator
Yes
Coordinator FQDN
No
DB Catalog
Yes
DB Instance
No
Displays the name of the SQL instance that is being used for the Change
Auditor coordinator database.
DB Size
Yes
Domain
Yes
No
Displays the number of event entries received from all Change Auditor
agents in the last 24 hours of coordinator operation.
No
Events Today
Yes
Events Total
No
Events Yesterday
No
Displays the number of event entries received from local midnight today
to local midnight yesterday.
Forest
No
Startup Time
No
Displays the date and time when the coordinator was last initialized.
197
Default
Description
Status
Yes
running
initializing
stopped
failed
Uptime
Yes
Version
Yes
Red - inactive
Yellow - initializing
By right-clicking on the Change Auditor coordinator icon in the system tray, a context menu is displayed which
consists of the following commands:
Table 43. Coordinator system tray icon: Right-click commands
Command
Description
Coordinator Status
Use the Coordinator Status command to display the Change Auditor Coordinator
Status dialog which assists you in determining if the coordinator is running, what
version is installed and how active the coordinator is.
See Change Auditor Coordinator Status dialog for a full description of this status
dialog.
Enable/Disable
Coordinator
Use the Enable/Disable Coordinator command to start or stop the Change Auditor
coordinator.
Use the View Coordinator Log command to launch the log viewer to review the
events recorded in the Change Auditor coordinator log
(ChangeAuditor.Service.exe.nptlog).
For example:
%ProgramFiles%\Dell\ChangeAuditor\Service\ChangeAuditor.Service.exe.nptlog
Coordinator
Configuration
See Coordinator Configuration tool for a description of how to use this utility.
Data Migration Tool
Use the Data Migration Tool command to launch the Data Migration Tool to migrate
legacy 5.x (5.6 or higher) data into a new or upgraded 6.x database or to move 6.x
data into an archive database.
See the Dell Change Auditor Installation Guide for a description of this utility.
198
Description
Load On Startup
Use the Load on Startup command to automatically load the system tray
application when the Change Auditor coordinator starts.
About
Use the About command to display information about Change Auditor including the
installed version number and licensing information.
Exit
Coordinator Information - displays the status, version number, SCP port and installation name for the
coordinator
Database Information - displays the coordinator database server, name and size
Agent Connections to this Coordinator - displays the total number of agents, including legacy (5.x)
agents, that are connected to the coordinator
Events and Alerts on this Coordinator - displays status information regarding events, alerts, and search
activities for this particular coordinator
The Change Auditor Coordinator Status dialog contains the following information:
Table 44. Change Auditor Coordinator Status dialog: Status information
Field
Description
Coordinator Information
Coordinator Status
Running
Initializing
Stopped
Failed
This value will normally be Running. If the credentials supplied for the database
access during the Change Auditor coordinator installation are incorrect or have
expired, this field will display Not Running indicating that the coordinator did not
successfully start. If this happens, use the Database Configuration Utility to change the
permissions trying to access the database.
Installation Name
Displays the port number assigned to the coordinator Service Connection Point (SCP).
Version
Database Information
SQL Server
Database Catalog
Displays the name assigned to the coordinator database during the coordinator
installation.
Database Size
Displays the total number of Change Auditor agents connected to this coordinator.
Legacy Agents
Connected (5.x)
Displays the number of legacy (5.x) Change Auditor agents connected to this
coordinator.
Dell Change Auditor 6.7
User Guide
199
Description
Displays the number of events this coordinator has received since it was last started.
Events in Receive
Buffer
Displays the number of events that have not yet been processed by this coordinator
and forwarded to the Change Auditor client.
Displays the average number of events processed by this coordinator per second.
By right-clicking on the coordinator system tray icon and selecting the Coordinator Configuration command,
the Coordinator Configuration tool appears allowing you to:
specify static SCP listening ports to be used to communicate with the coordinator
Security page
Ports page
Protection page
Security page
From the Security page, you can change the database instance and service accounts used to access the
database.
NOTE: If User Account Control (UAC) is enabled, a confirmation dialog appears where you can authorize
the Coordinator Configuration tool to use the required elevated rights.
Use the fields/options on this dialog to enter the credentials to be used to access the designated SQL
Connect using
200
Windows Authentication - this option is selected by default and will use Windows authentication
to access the database.
SQL Server Authentication - select this option to use SQL Server authentication to access the
database.
Depending on the authentication option selected above, enter the appropriate user credentials.
Login ID
Enter the user name for the account to be used to access the SQL server instance.
Password
Enter the password associated with the user account entered above.
Domain
Enter the domain name for the Windows account to be used to access the designated SQL server
instance. (Only valid for Windows Authentication.)
Ports page
By default, Change Auditor dynamically assigns communication ports for each installed coordinator. However,
using the Ports page of the Coordinator Configuration dialog, you can specify static SCP listening ports to be
used to communicate with the Change Auditor coordinator.
NOTE: If you upgraded from a 5.x installation where static ports were defined, these static ports will be
retained as part of the upgrade process. However, the Agent Port setting, which is new and is used by 6.0
agents, will be set to use a dynamic port. (Note that the 5.x agents now use the Agent Port (Legacy)
setting on this page.) Check with your system administrator to determine whether this new connection
should also be using a static port.
Enter the port(s) to be used to communicate with the coordinator:
NOTE: A zero (0) indicates that a dynamic port is being used. If you have set a static port and wish to use
a dynamic port, change the port number back to 0.
Client Port
Enter the static port number to be used by the Change Auditor client to communicate with the
coordinator.
Agent Port
Enter the static port number to be used for communication between a Change Auditor agent (6.x) and a
coordinator.
201
Protection page
By default, Change Auditor stores the Active Directory and GPO protection templates in SQL. However, you
can use the Protection page of the Coordinator Configuration dialog to have Change Auditor store the Active
Directory and GPO protection templates in Active Directory instead of SQL.
NOTE: When you have selected to store your Active Directory and Group Policy protection templates in
Active Directory, you can use the Security feature on the Active Directory Protection page or Group Policy
Protection page to provide an additional layer of security. The additional setting is intended for customers
who require tighter security ACLs on their Active Directory and GPO objects and templates (i.e., the
Change Auditor SQL database may not be fully secured by ChangeAuditor Administrators). For more
information about setting this additional security on protected objects, see the Dell Change Auditor for
Active Directory User Guide.
Specify the appropriate option for storing Active Directory/GPO protection and ADAM (AD LDS) protection:
SQL (default)
AD
SQL (default)
AD
Open the Overview page and if the Coordinator Status overview pane is not being displayed, click the
arrow button on an overview pane and select one of the following commands:
This will display a pie chart depicting the current status of all the Change Auditor coordinators installed
in either the entire enterprise or in a selected domain.
2
By default, this pane will only include installed coordinators in the pie chart. You can however, select the
Show Uninstalled Coordinators check box to include uninstalled coordinators in the pie chart.
Double-clicking the pie chart will display the Coordinator Statistics page.
Click the Show Uninstalled Coordinators tool bar button to include coordinators set as uninstalled.
Click the Hide Uninstalled Coordinators tool bar button to exclude these coordinators from the display.
The values in the different event columns are links, which when selected will open up a new Search
Results tab to display the related details for these events.
202
From the server where the coordinator is installed, right-click the coordinator system tray icon and
select Coordinator Status.
This will display the Change Auditor Coordinator Status dialog, which displays status and statistics
regarding the coordinator, database, agent connections and events and alerts.
To stop a coordinator:
1
From the server where the coordinator is installed, right-click the coordinator system tray icon and
select Disable Coordinator.
In addition, a desktop notification will be displayed in the lower right-hand corner of your screen
explaining that the selected coordinator is being disabled.
Once disabled, the coordinator system tray icon will contain a red light
coordinator is disabled.
If you so choose, click the Set Coordinator Uninstalled tool bar button or right-click command to flag
the selected coordinator as Uninstalled.
Click the Show Uninstalled Coordinators tool bar button to include uninstalled coordinators in the
Coordinator Statistics list. Click the Hide Uninstalled Coordinators tool bar button to exclude
uninstalled coordinators from the display.
To start a coordinator:
1
From the server where the coordinator is installed, right-click the coordinator system tray icon and
select Enable Coordinator.
In addition, a desktop notification will be displayed in the lower right-hand corner of your screen
explaining that the selected coordinator is being started.
Once restarted, the coordinator system tray icon will no longer contain a red or yellow button indicating
that the coordinator is now active.
Service: CA4xCompat.dll.nptlog - this log includes the messages logged during agent to coordinator
communications.
Service: ChangeAuditor.Service.exe.nptlog - this log includes the messages logged during client to
coordinator communications.
Dell Change Auditor 6.7
User Guide
203
The data grid and event details pane on this page contains the following information for each log entry. The
default column in the table below identifies the fields that are displayed in the data grid by default. To display
different fields, click the Field Chooser button
Default
Description
File
No
Specifies the name of the source file that logged the message.
Function
No
ID
No
Level
Yes
Line
No
Specifies the line within the source file that logged the message.
Logger
No
Message
Yes
Thread
No
Specifies the thread within the source file that logged the message.
Timestamp
Yes
Displays the date and time when the entry was posted to the log.
NOTE: Based on the clients current local date and time. The format used to
display this date and time is determined by the local machines regional and
language setting.
Use the tool bar buttons at the top of the log page to scroll through the log and search for log entries.
Table 46. Coordinator Log page: Tool bar buttons
Refresh
Use to refresh and reload the log entries from the source file.
NOTE: Not available when the log page is launched using the View
Coordinator Log command.
Copy
Use to copy the selected content to the clip board. Use with the Select
All button to copy and paste the contents of the entire log into another
application.
Select All
Use to select the entire contents of the log. Use with the Copy button
to copy and paste the contents of the log into another application.
Find:
Use to locate entries that match the case as it was entered in the
search text.
Previous
Use to move to the previous entry that contains the search text.
Next
Use to move to the next entry that contains the search text.
Use one of the Print options to print or save the contents of the log.
204
Click the Logs | Open Log tool bar button or right-click command.
On the Open Log File dialog, use the controls at the top of the dialog to locate the Change Auditor log to
be viewed. Select the log file and click Open.
This will open a new page in the Change Auditor client which displays the log entries for the selected
log.
Whenever an entry is highlighted in the top pane, the corresponding details will be displayed in the
Event Details pane across the bottom of the screen.
Use the tool bar buttons as described above to search the log for a specific entry, to copy and paste the
contents of this log for use in another application, and print or save the contents of this log.
Select a coordinator from the list and click the Logs | Get All Logs tool bar button or right-click
command.
On the Browse for Folder dialog, select the location where these logs are to be saved. Click the OK
button to save your selection.
NOTE: If necessary, click the Make New Folder button to create a new folder for these logs.
Select a coordinator from the list and click the Logs | View Coordinator Log tool bar button or rightclick command.
This will open a new page in the Change Auditor client which displays the log entries in the Change
Auditor coordinator log (ChangeAuditor.Service.exe.nptlog).
Whenever an entry is highlighted in the top pane, the corresponding details will be displayed in the
Event Details pane across the bottom of the screen.
In addition, when an error is highlighted in the top pane and there is a call stack available for that error,
an Exception pane will also be displayed.
Use the tool bar buttons as described above to search the log for a specific entry, to copy and paste the
contents of this log for use in another application, and to print or save the contents of this log.
From the server where the coordinator is installed, right-click the coordinator system tray icon and
select View Coordinator Log.
This will launch the log viewer, allowing you to review the entries recorded in the Change Auditor
coordinator log (ChangeAuditor.Service.exe.nptlog).
205
A
Change Auditor Commands
This appendix lists the commands available throughout the Change Auditor client. The tables in this appendix
list the following commands that are available throughout the entire client:
Menu commands
Right-click commands
Menu commands
The Change Auditor menus follow the same convention as standard Windows menus. That is, commands are
grouped under a menu on the menu bar. Some of these commands perform an action immediately; others
display an additional dialog or launch a wizard where you select various options or specify additional
information.
The following table provides a description of the commands available under each of the Change Auditor menus.
Table 47. Menu commands
Menu command
Shortcut key
Description
Ctrl+O
File Menu
Connect
Ctrl+D
Open Log
Use to view one of the Change Auditor log files. Selecting this
command will display the Open Log dialog allowing you to select
the log file to be viewed. Once selected, a new tabbed page will
be created in the Change Auditor client displaying the entries
logged in the selected log.
Use to view the current Change Auditor client log. A new tabbed
page will be created in the Change Auditor client displaying the
entries logged to the current client log.
Ctrl+P
Print to File
Ctrl+Shift+F
Excel (.xls) or comma delimited (.csv) file. When you select this
command, the native Save As dialog will be displayed allowing
you to specify the location, file name and type of file to be
created.
Print to PDF
Ctrl+Shift+D
206
Shortcut key
Description
Print Preview
Ctrl+Shift+P
Page Setup
Ctrl+Shift+U
Exit
Ctrl+Q
Cut
Ctrl+X
Copy
Ctrl+C
Paste
Ctrl+V
Edit Menu
Delete
Move
Action Menu
Refresh
F5
Autofit Columns
to Contents
Ctrl+F
Reset Display
Use to display the XML tab, which displays the XML representation
of a selected search criteria, at the end of the Search Properties
tabs.
NOTE: This command is only available from the Searches page
and a Search Results page.
Use to display the SQL tab, which displays the SQL query built to
run a selected search, at the end of the Search Properties tabs.
NOTE: This command is only available from the Searches page
and a Search Results page.
Auto Connect
Agent
Notifications
207
Shortcut key
Agent Auto
Refresh
Description
Use to enable or disable the refreshing of the currently displayed
grid (on the Deployment, Overview or Agent Statistics page) when
an agent either connects or disconnects.
NOTE: Agent Auto Refresh is enabled by default.
Hide Unlicensed
Components
Export
Import
View Menu
Deployment
Ctrl+F8
Use to display the Deployment page, from which you can deploy
Change Auditor agents.
Overview
Ctrl+F9
Searches
Ctrl+F10
Use to display the Searches page, from which you can run
searches, define new searches and enable alerting.
Statistics | Agent
Ctrl+F11
Statistics |
Coordinator
Shift+F11
Administration
Ctrl+F12
208
Shortcut key
List of open
windows
Description
The remainder of this menu lists all of the windows that are
currently opened in the Change Auditor client. A check mark to
the left of a window indicates the window that is currently
active.
Help Menu
About
Use to display the Dell Change Auditor dialog which displays the
following information:
The Legal Notices tab displays acknowledgments for thirdparty components that are used in Change Auditor
Contents
Description
Add
Most Administration
Tasks pages
Application User
Interface page
Add
Add Role Definition
209
Description
Add
Subsystem
Event Class
Object Class
Severity
Results
Add with Events
What tab
Who tab
Who tab
Add | Exclude
Exchange Mailbox
Auditing page
Subsystem
Event Class
Object Class
Severity
Results
Add with Events
Advanced Options |
Advanced Options
Advanced Options |
ActiveRoles Integration
Deploy Scripts Only
Where tab
Origin tab
Where tab
210
Description
Alert Properties
Apply Changes
Assign
Comments
Configurations
Connect To
Copy
Active Directory
Protection page
Group Policy Protection
page
Log pages
Event Details pane
SQL tab
XML tab
Credentials
Deployment page
Default
Default All
Set
Clear
Test
211
Description
Delete
Application User
Interface page
Member of Group
Auditing page
Excluded AD Query
Auditing page
Exchange Mailbox
Auditing page
Purge Jobs page
Report Layouts page
Who tab
Where tab
Origin tab
Delete | Delete
Administration Account
Excluded Accounts
Auditing page
Delete | Delete Object Class Use to remove the selected object class from the
Active Directory or ADAM (AD LDS) auditing list.
Delete | Delete Registry Key Use to remove the selected registry key from a
Registry auditing template.
Delete | Delete SQL Instance Use to remove the selected SQL instance from a SQL SQL Auditing page
auditing template.
212
Description
Auditing pages
Delete Criteria
What tab
Design Report
Report tab
Disable
Protection pages
Disable Report
Edit
Most Administration
Tasks pages, including:
Report Layouts
page
Application User
Interface page
Auditing pages
Protection pages
Use to modify the selected entry in the What search What tab
criteria list.
Edit Logon
Enable
Event Details
Event Logging
Explorer View
Use to show the explorer view in the left-hand pane Searches page
of the Searches page.
Find
Force Refresh
Deployment page
Searches page
213
Description
Hide Properties
Searches page
Agent Statistics page
Hide Uninstalled
Coordinators
Coordinator Statistics
page
High/Medium/Low
Install or Upgrade
Knowledge Base
Logs
Open Log
Match Case
Log pages
New
Searches page
New Folder
New Search
New Servers
Next
Use to move to the next log entry that contains the Log pages
search text.
Overviews
Preview Changes
Use to run the search based on the changes made to Search Properties tabs
the search query and display the results in the
(Search Results page)
current Search Results page.
Preview Report
Previous
Use to move to the previous log entry that contains Log pages
the search text.
Overview page
Report tab
214
Description
All pages
Print
Print to File
Print to PDF
Print Preview
Page Setup
Refresh
(.xls) or
Overview page
Refresh Configuration
Refresh Status
Deployment page
Related Search
Restart Agent
Restore Value
Log pages
Searches page
Search Properties tabs
Save
Save As
Save As
Save As Default
Search Properties
Use to display the Search Properties tabs across the Search Results page
bottom of the page.
Select All
Log pages
215
Description
Exchange Mailbox
Auditing page
Log pages
Show Properties
Use to display the Search Properties tabs across the Searches page
bottom of the Searches page.
Agent Statistics page
Use to display the Resource Properties pane across
the bottom of the Agent Statistics page.
Show Uninstalled
Coordinators
Coordinator Statistics
page
Start Agent
Stop Agent
Use to stop a Change Auditor agent. This button is Agent Statistics page
only available when an agent is in an active state.
Test SMTP
Coordinator
Configuration page
Test SNMP
Coordinator
Configuration page
Uninstall
Deployment page
Right-click commands
The following table lists the commands which are available through right-click functionality. The commands are
listed in alphabetical order with a reference to the pages from which they can be accessed.
Table 49. Right-click commands
Command
216
Alert
Enable Transport
SMTP
NOTE: The History and Delete History options are only displayed when
alerting has been enabled for a search.
SNMP
WMI
Disable Transport
SMTP
SNMP
WMI
Disable Alert
History
Delete History
All Results
Assign
Assign to Configuration
Audit
Clear Result
Collapse All
Comments
217
Copy
Credentials
Set
Clear
Test
Cut
Searches page:
218
Delete
Searches page:
219
Disable
Disable Report
Edit
220
Enable
Exclude
Expand All
Export
Searches page:
Hide Properties
Searches page:
Import Folder
Import Search
Install or Upgrade
Knowledge Base
221
Logs
Searches page:
New
Searches Page:
New Folder
New Search
Overviews
Paste
Searches page:
Searches page:
Redo
Refresh Configuration
Refresh Status
Rename
Report
Agents Configuration
Disable Report
Restart Agent
Run
Scope
Search Properties
Security
222
Select All
Set As My Favorite
Show Properties
Searches page
Stop Agent
Success Only
Undo
Uninstall
223
B
Change Auditor Email Tags
The Alert Body Configuration dialog allows you to edit the plain text and the HTML representation of alert
emails. It consists of the following tabbed pages:
Preview - is for previewing a sample of what your customized email will look like.
Main Body - to define the overall content and layout of the alert email body.
Event Details - to define the details to be included for each event included in the alert email.
The text entered in the these tabs is sent when the alert triggers, with the exception of the variable tags
(%xxx%). These tags are used to retrieve information from Change Auditor. The following tags are used and
should NOT be modified.
Table 50. Tags valid in the Main Body tab
Email Tag:
Description:
%ALERT_COORDINATOR_DOMAIN%
The name of the domain where the coordinator that generated the
alert resides.
%ALERT_COORDINATOR_NAME%
%ALERT_NAME%
%ALERT_TIME_SENT%
%ALERT_TYPE%
%BATCH_ID%
The batch ID for all alerts grouped into a single smart alert email.
%EVENT_COUNT%
%SMART_ALERT%
%SMART_ALERT_GROUPING%
%SMART_ALERT_OCCURRENCE%
For smart alerts, the occurrence value specified in Send alert when
<nn> Events occur within <nn> <interval>.
%SMART_ALERT_PERIOD%
For smart alerts, the period of time specified in Send alert when
<nn> Events occur within <nn> <interval>.
%SMART_ALERT_PERIOD_UNIT%
For smart alerts, the time interval (minutes, hours or days) specified
in Send alert when <nn> Events occur within <nn> <interval>.
Description:
%ACTIONNAME%
%AD_SAMACCOUNTNAME%
For Active Directory events, the logon name of the user who
initiated the change event.
%AD_USERPRINCIPALNAME%
For Active Directory events, the user principal name (UPN) of the
user who initiated the change event.
%ADAM_CONFIGURATIONSET%
For ADAM (AD LDS) events, the name of the configuration set that
holds the ADAM instance where the change occurred.
224
Description:
%ADAM_INSTANCENAME%
For ADAM (AD LDS) events, the name of the ADAM instance where the
change occurred.
%ADAM_INSTANCEPORT%
For ADAM (AD LDS) events, the communications port used by the
ADAM instance where the change occurred.
%ADAM_PARTITIONNAME%
For ADAM (AD LDS) events, the name of the directory partition where
the change event occurred.
%ALERT_COORDINATOR_DOMAIN%
The name of the domain where the coordinator that generated the
alert resides.
%ALERT_COORDINATOR_NAME%
%ALERT_NAME%
%ALERT_TIME_SENT%
%ALERT_TYPE%
%ATTRIBUTENAME%
For Active Directory and ADAM (AD LDS) events, the name of the
schema attribute that was modified (e.g., displayName).
For File System events, the name of the file or folder attribute that
was modified.
%BATCH_ID%
The batch ID assigned to all alerts grouped into a single smart alert
email.
%COMMENT%
Any comments for the event which were entered using the Comments
feature on the Event Details pane.
%DOMAINCONTROLLER%
%DOMAINDN%
%DOMAINFQDN%
The fully qualified domain name (FQDN) of the domain to which the
Change Auditor agent that generated the alert belongs.
%DOMAINNAME%
The name of the domain to which the Change Auditor agent that
generated the alert belongs.
%EVENT_COUNT%
%EVENTCLASSNAME%
%EVENTMESSAGE%
%EVENTSOURCE%
Indicates the application where the change event came from: Change
Auditor, ActiveRoles Server, or GPOADmin.
%EXCHANGE%
%FACILITYNAME%
The name of the event class facility to which the event belongs (e.g.,
Domain Configuration).
%FORESTNAME%
The name of the forest where the Change Auditor agent that
captured the event resides.
%FS_ATTRIBUTENAME%
For File System events, the name of the attribute that was modified.
%FS_FILENAME%
For File System events, the name of the file that was modified.
%FS_FILESERVER%
For File System events, the name of the server where the file or
folder that was modified resides.
%FS_FILESYSTEMTYPEID%
For File System events, the type of object (File or Folder) that was
modified.
%FS_FOLDERPATH%
For File System events, the full path of the file or folder where the
modification occurred.
%FS_LOGONID%
For File System events, the logon ID of the user who made the
change.
225
Description:
%FS_PRIMARYSID%
For File System events, the SID of the user who made the change.
%FS_PROCESSNAME%
For File System events, the full path of the application responsible
for the change.
%FS_SHARENAME%
For File System events, the name of the local share that was
modified.
%FS_TRANSACTIONID%
%FS_TRANSACTIONSTATUS%
%GLOBALCATALOG%
%GPO_POLICYCANONICAL%
For Group Policy events, the canonical name (CN) of the group policy
that was modified.
%GPO_POLICYITEM%
For Group Policy events, the group policy item that was modified.
%GPO_POLICYNAME%
For Group Policy events, the name of the group policy that was
modified.
%GPO_POLICYSECTION%
For Group Policy events, the section of the group policy that was
modified.
%INITIATORMAIL%
%INITIATORSID%
%INITIATORUSERNAME%
%IPADDRESS%
The IP address of the Change Auditor agent that generated the alert.
%LDAP_ATTRIBUTES%
%LDAP_ELAPSED%
%LDAP_FILTER%
%LDAP_OCCURRENCES%
%LDAP_RESULTS%
%LDAP_SCOPE%
For AD Query events, the scope of coverage: This object only or This
object and all children.
%LDAP_SINCE%
For AD Query events, the date and time when the AD query was first
initiated.
%LDAP_TYPE%
%LOGON_DURATION%
For Logon Session events, how long the user session lasted or how
long the user was actually logged onto the computer (depends on the
event).
%LOGON_END%
For Logon Session events, the date and time when the user logged
out of the computer.
%LOGON_SESSIONEND%
For Logon Session events, the date and time when the current user
session ended.
Dell Change Auditor 6.7
User Guide
226
Description:
%LOGON_SESSIONSTART%
For Logon Session events, the date and time when the current user
session began.
%LOGON_START%
For Logon Session events, the date and time when the user initially
logged onto the computer.
%LOGON_TYPE%
%OBJECTCANONICAL%
Domain Authentication
Interactive
Remote Interactive
For Active Directory and ADAM (AD LDS) events, the canonical name
of the object that was modified.
For Group Policy events, the canonical name of the group policy that
was modified.
For AD Query events, the LDAP object canonical name of the object
that was queried.
%OBJECTCLASS%
For Active Directory and Exchange events, the object class that was
modified (e.g., groupPolicyContainer).
For ADAM (AD LDS) events, the object class that was modified (e.g.,
container, user, group).
For AD Query events, the object class that was queried.
%OBJECTNAME%
For Active Directory and Exchange events, the name of the object
that was modified.
For ADAM (AD LDS) events, the distinguished name of the object that
was modified.
For Group Policy events, the name of the group policy that was
modified.
For AD Query events, the name of the object that was queried.
%ORGANIZATIONALUNIT%
For Active Directory and ADAM (AD LDS) events, the OU associated
with the object that was modified.
For Group Policy events, the name of the OU that is linked to the
group policy that was modified.
For AD Query events, the name of the OU associated with the LDAP
query.
%OSVERSION%
%REGISTRYKEY%
For Registry events, the name of the registry key that was modified.
%REGISTRYVALUE%
%RESULTNAME%
Success
Protected
Failed
None
%SAM_PRINCIPALNAME%
The logon name of the local account that initiated the change event.
%SAM_PRINCIPALTYPE%
%SERVERDN%
The distinguished name (DN) of the agented server that captured the
event.
%SERVERFQDN%
The fully qualified domain name (FQDN) of the agented server that
captured the event.
%SERVERNAME%
227
Description:
%SERVEROU%
%SERVICE_DISPLAYNAME%
For Service events, the display name of the service that was
modified.
%SERVICE_NAME%
For Service events, the name of the service that was modified.
%SEVERITYNAME%
%SHAREPOINT_FARMNAME%
For SharePoint events, the name of the SharePoint farm where the
modification occurred.
%SHAREPOINT_ITEMNAME%
%SHAREPOINT_ITEMURL%
For SharePoint events, the URL of the SharePoint item that was
modified.
%SHAREPOINT_LISTNAME%
For SharePoint events, the name of the SharePoint list that was
modified.
%SHAREPOINT_LISTPATH%
For SharePoint events, the full path of the SharePoint list where the
modification occurred.
%SHAREPOINT_WEBNAME%
For SharePoint events, the name of the web site where the
modification occurred.
%SHAREPOINT_WEBURL%
For SharePoint events, the URL of the web site where the
modification occurred.
%SIGNSEAL%
%SITEDN%
The distinguished name (DN) of the site where the agented server
resides.
%SITENAME%
%SMART_ALERT%
%SMART_ALERT_GROUPING%
%SMART_ALERT_OCCURRENCE%
For smart alerts, the occurrence value specified in Send alert when
<nn> Events occur within <nn> <interval>.
%SMART_ALERT_PERIOD%
For smart alerts, the period of time specified in Send alert when
<nn> Events occur within <nn> <interval>.
%SMART_ALERT_PERIOD_UNIT%
For smart alerts, the time interval (minutes, hours or days) specified
in Send alert when <nn> Events occur within <nn> <interval>.
%SONICWALL_AUTHTYPE%
%SONICWALL_DURATION%
For SonicWALL alerts, the time span between the activity start time
and the activity end time.
%SONICWALL_END%
For SonicWALL alerts, the date and time when the activity ended.
%SONICWALL_SITEAPCATEGORY%
For SonicWALL alerts, the application category for the site where the
activity occurred.
%SONICWALL_SITEAPPNAME%
For SonicWALL alerts, the application name for the site where the
activity occurred.
%SONICWALL_SITECLOUD%
For SonicWALL Cloud Storage alerts, the name of the cloud storage
site (for example, Dropbox) where the activity occurred.
%SONICWALL_SITECOUNTRY%
228
Description:
%SONICWALL_SITEDOMAIN%
For SonicWALL alerts, the name of the sites domain where the
activity occurred.
%SONICWALL_SITEFULLURLS%
For SonicWALL alerts, a list of the full URL(s) of the site where the
activity occurred.
%SONICWALL_SITEIP%
For SonicWALL alerts, the IP address of the site where the activity
occurred.
%SONICWALL_SITENAME%
For SonicWALL Cloud Storage alerts, the web site name of the cloud
storage site (for example, www.dropbox.com) where the activity
occurred.
%SONICWALL_SITEPORT%
For SonicWALL alerts, the port number (80, 443, etc.) of the site
where the activity occurred.
%SONICWALL_SITEZONE%
For SonicWALL alerts, the zone name (e.g., LAN or WAN) of the site
where the activity occurred.
%SONICWALL_START%
For SonicWALL alerts, the date and time when the activity started.
%SONICWALL_USERZONE%
For SonicWALL alerts, the zone name (e.g., LAN or WAN) of the user
who initiated the activity.
%SQL_APPLICATIONNAME%
For SQL events, the name of the client application that initiated the
change event.
%SQL_CLIENTPROCESSID%
For SQL events, the identification number associated with the client
process that initiated the change event.
%SQL_DATABASEID%
For SQL events, the identification number associated with the SQL
database used by the process that initiated the change event.
%SQL_DATABASENAME%
For SQL events, the name of the SQL database used by the process
that initiated the change event.
%SQL_EVENTCLASS%
%SQL_EVENTSUBCLASS%
For SQL events, the type of event subclass that was performed.
%SQL_HOSTNAME%
For SQL events, the name of the client workstation that initiated the
session.
%SQL_INSTANCENAME%
For SQL events, the name of the SQL instance where the change
event occurred.
%SQL_ISSYSTEM%
%SQL_LINKEDSERVERNAME%
%SQL_OBJECTID%
For SQL events, the object identifier associated with the SQL object
that was changed.
%SQL_OBJECTID2%
%SQL_OBJECTNAME%
For SQL events, the name of the SQL Server object that was changed.
%SQL_OBJECTTYPE%
For SQL events, the type of SQL Server object that was changed.
%SQL_OWNERID%
For SQL lock events, the type of object that owns a lock.
%SQL_OWNERNAME%
For SQL events, the database user name of the object owner.
%SQL_PARENTNAME%
For SQL events, the name of the schema in which the object that
changed resides.
%SQL_PROVIDERNAME%
%SQL_ROWCOUNTS%
For SQL events, the number of rows returned by the SQL query.
229
Description:
%SQL_SESSIONLOGINNAME%
For SQL events, the SQL Server login name used by the client to
create the session.
%SQL_SPID%
For SQL events, the SQL Server Process ID associated with the process
that initiated the change.
%SQL_SUCCESS%
%SQL_TEXTDATA%
For SQL events, the character string used in the SQL query.
%SSLTLS%
%SUBSYSTEMNAME%
%TIMEBATCHED%
The UTC date and time when the batch of events were sent from the
agent to coordinator.
%TIMEDETECTED%
The UTC date and time when the Change Auditor agent captured the
event.
%TIMEOFDAY%
The UTC time (no date) when the event the Change Auditor agent
captured the event.
%TIMERECEIVED%
The UTC date and time when the event was received by Change
Auditor.
%TIMEZONE%
The name of the time zone used for the alerts date/time stamps in
the email.
%TIMEZONETIMEDETECTED%
The date and time when the Change Auditor agent captured the
event, based on the selected time zone.
%TIMEZONETIMERECEIVED%
The date and time when the event was received by Change Auditor,
based on the selected time zone.
%USERADDRESS%
%USERADDRESSIPV4%
%USERADDRESSIPV6%
%USERDISPLAY%
%USERMAIL%
%USERNAME%
The NT4 logon name (domain\name) of the user who initiated the
change.
%USERSID%
The security identifier (SID) assigned to the user who initiated the
change.
%VALUENEW%
%VALUEOLD%
%VMWARE_COMPUTERESOURCE%
%VMWARE_DATACENTER%
For VMware events, the name of the datacenter object where the
modification occurred.
%VMWARE_DS%
%VMWARE_DVS%
%VMWARE_HOST%
For VMware events, the name or IP address of the host being audited
(as specified in the VMware Auditing template).
230
Description:
%VMWARE_NET%
For VMware events, the name of the network object where the
change occurred.
%VMWARE_VM%
For VMware events, the name of the virtual machine where the
modification occurred.
%VMWARE_VMWAREHOSTNAME%
For VMware events, the name of the host where the modification
occurred.
The event details defined in the Event Details tab are placed in the Main Body pane using the following tag:
%EVENT_DETAILS%
This tag should NOT be removed from the Main Body tab if you want to include the event details in the alert
emails.
231
C
Change Auditor PowerShell Commands
Adding the PowerShell Module
Viewing available commands and help
Installing Change Auditor coordinators and web clients
Finding Change Auditor installations and coordinators
Connecting to and disconnecting from Change Auditor installations and coordinators
Gathering Change Auditor system information
Deploying Change Auditor agents
232
Open a Windows PowerShell window and type the following at the Windows PowerShell command
prompt:
Import-Module <path>
Where "<path>" is the file path for the Dell.ChangeAuditor.PowerShell.dll assembly found in the Change
Auditor client folder.
Type the following at the Windows PowerShell command prompt to ensure the module was added:
Get-Module -All
The registered PowerShell modules are listed.
To view an interactive command browser that shows you the layout of commands as well as the help for
the commands, enter:
Show-Command cmdletName
233
Install-CACoordinator
Install-CAWebClient
Install-CACoordinator
Use this command to install locally a Change Auditor Coordinator.
Table 52. Available parameters
Parameter
Description
-MsiPath
-SQLAuthDatabaseCredentials
-DatabaseCredentials
-DatabaseServer
-LogPath
The local path on the computer where the installation log will be
written.
Install-CAWebClient
Use this command to install locally the web client.
Table 53. Available parameters
Parameter
Description
-MsiPath
-CoordinatorConnection
-LogPath
234
Find-CAInstallations
Find-CACoordinators
Find-CASuitableCoordinator
Find-CAInstallations
Use this command to search Active Directory for all available Change Auditor installations. The default is the
current computers forest, however, you can optionally specify a domain to search cross-forest for deployments.
Find-CACoordinators
Use this command to search Active Directory for all available coordinators. The default is the current computers
forest, however, you can optionally specify a domain to search cross-forest for deployments. This search returns
all the information required to connect to the coordinator including ports.
Find-CASuitableCoordinator
Use this command to search Active Directory for a coordinator to which a connection can be made. The default
is the current computers forest, however, you can optionally specify a domain to search cross-forest for
deployments.
Example: Find a coordinator in DomainName.com domain that you have the credentials to
connect to
Find-CASuitableCoordinator DomainName DomainName.com
Example: Find a coordinator in DEFAULT installation that you have the credentials to connect
to
Find-CASuitableCoordinator InstallationName DEFAULT
235
Connect-CAClient
Disconnect-CAClient
Connect-CAClient
Most Change Auditor commands require a connection to a coordinator which will then be passed to each
command. Change Auditor allows you to manage Change Auditor in the same forest or in a different forest from
a single Change Auditor client.
Use this command to create a connection object to use within a script. A default connection will be used
when one is not specified.
TIP: As a best practice, it is recommended to acquire a connection and use it for the entire script.
You can make multiple connections to different coordinators or deployments in the same script.
NOTE: Connections will be closed when the PowerShell session is ended or disconnected.
$connection = Connect-CAClient
236
Disconnect-CAClient
Use this command to disconnect from Change Auditor. (This is the equivalent of closing the Change Auditor
client.)
Example: Connect to a Change Auditor deployment, and then close the connection
$connection = Connect-CAClient DeploymentName DEFAULT
# perform some actions
Disconnect-CAClient $connection
Get-CACoordinator
Get-CACoordinators
Get-CAInstallation
Get-CAAgents
Get-CACoordinator
Use this command to retrieve coordinator-specific (as opposed to installation-wide) status information from the
connected coordinator such as coordinator name, status, deployment name, version, connected agents,
connected legacy agents, connected clients, client port, total events, and buffered events which may be
different on each coordinator.
Get-CACoordinators
Use this command to gather information about all the coordinators in a Change Auditor installation.
Example: Gather coordinator information for all coordinators for a specified connection
Get-CACoordinators -Connection $connection
Get-CAInstallation
Use this command to retrieve installation-specific (as opposed to coordinator-specific) status information
including the name of the installation, database server, and database and the database size.
237
Get-CAAgents
Use this command to view information on all available agents.
NOTE: This will return information for workstation, server, and Domain Controller agents.
Table 55. Available parameters
Parameter
Description
-Connection
Install-CAAgent
Uninstall-CAAgent
Update-CAAgent
Install-CAAgent
Use this command to install an agent.
Table 56. Available parameters
Parameter
Description
-Connection
-MachineName
-Credentials
-OperationTime
Uninstall-CAAgent
Use this command to uninstall an agent.
Table 57. Available parameters
Parameter
Description
-Connection
-MachineName
238
Description
-Credentials
-OperationTime
Update-CAAgent
Use this command to upgrade an agent.
Table 58. Available parameters
Parameter
Description
-Connection
-Agent
-Credentials
-OperationTime
239
About Dell
Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.
Contacting Dell
Technical Support:
Online Support
Product Questions and Sales:
(800) 306-9329
Email:
info@software.dell.com
240